Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
661 threats — page 9 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| System Services | Execution | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can ex… | Edit | |
| System Services: Launchctl | Execution | Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, … | Edit | |
| System Services: Service Execution | Execution | Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.… | Edit | |
| System Services: Systemctl | Execution | Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface … | Edit | |
| User Execution | Execution | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subje… | Edit | |
| User Execution: Malicious Copy and Paste | Execution | An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be … | Edit | |
| User Execution: Malicious File | Execution | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be … | Edit | |
| User Execution: Malicious Image | Execution | Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Service… | Edit | |
| User Execution: Malicious Library | Execution | Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors… | Edit | |
| User Execution: Malicious Link | Execution | An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be… | Edit | |
| Windows Management Instrumentation | Execution | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and pay… | Edit | |
| Automated Exfiltration | Exfiltration | Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processin… | Edit | |
| Automated Exfiltration: Traffic Duplication | Exfiltration | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised i… | Edit | |
| Data Transfer Size Limits | Exfiltration | An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes b… | Edit | |
| Exfiltration Over Alternative Protocol | Exfiltration | Adversaries may steal data by exfiltrating it over a different protocol than that of the existing co… | Edit | |
| Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration | Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol othe… | Edit | |
| Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration | Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other … | Edit | |
| Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that … | Edit | |
| Exfiltration Over C2 Channel | Exfiltration | Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen d… | Edit | |
| Exfiltration Over Other Network Medium | Exfiltration | Adversaries may attempt to exfiltrate data over a different network medium than the command and cont… | Edit | |
| Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth | Exfiltration | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channe… | Edit | |
| Exfiltration Over Physical Medium | Exfiltration | Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In cert… | Edit | |
| Exfiltration Over Physical Medium: Exfiltration over USB | Exfiltration | Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumst… | Edit | |
| Exfiltration Over Web Service | Exfiltration | Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than thei… | Edit | |
| Exfiltration Over Web Service: Exfiltration Over Webhook | Exfiltration | Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and con… | Edit | |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | Exfiltration | Adversaries may exfiltrate data to a cloud storage service rather than over their primary command an… | Edit | |
| Exfiltration Over Web Service: Exfiltration to Code Repository | Exfiltration | Adversaries may exfiltrate data to a code repository rather than over their primary command and cont… | Edit | |
| Exfiltration Over Web Service: Exfiltration to Text Storage Sites | Exfiltration | Adversaries may exfiltrate data to text storage sites instead of their primary command and control c… | Edit | |
| Scheduled Transfer | Exfiltration | Adversaries may schedule data exfiltration to be performed only at certain times of day or at certai… | Edit | |
| Transfer Data to Cloud Account | Exfiltration | Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and crea… | Edit | |
| Content Injection | Initial Access | Adversaries may gain access and continuously communicate with victims by injecting malicious content… | Edit | |
| Drive-by Compromise | Initial Access | Adversaries may gain access to a system through a user visiting a website over the normal course of … | Edit | |
| Exploit Public-Facing Application | Initial Access | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially acce… | Edit | |
| Hardware Additions | Initial Access | Adversaries may physically introduce computer accessories, networking hardware, or other computing d… | Edit | |
| Phishing | Initial Access | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are e… | Edit | |
| Phishing: Spearphishing Attachment | Initial Access | Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access t… | Edit | |
| Phishing: Spearphishing Link | Initial Access | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to vict… | Edit | |
| Phishing: Spearphishing Voice | Initial Access | Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing … | Edit | |
| Phishing: Spearphishing via Service | Initial Access | Adversaries may send spearphishing messages via third-party services in an attempt to gain access to… | Edit | |
| Supply Chain Compromise | Initial Access | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consu… | Edit | |
| Supply Chain Compromise: Compromise Hardware Supply Chain | Initial Access | Adversaries may manipulate hardware components in products prior to receipt by a final consumer for … | Edit | |
| Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Initial Access | Adversaries may manipulate software dependencies and development tools prior to receipt by a final c… | Edit | |
| Supply Chain Compromise: Compromise Software Supply Chain | Initial Access | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose… | Edit | |
| Trusted Relationship | Initial Access | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Acce… | Edit | |
| Wi-Fi Networks | Initial Access | Adversaries may gain initial access to target systems by connecting to wireless networks. They may a… | Edit | |
| Exploitation of Remote Services | Lateral Movement | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside … | Edit | |
| Internal Spearphishing | Lateral Movement | After they already have access to accounts or systems within the environment, adversaries may use in… | Edit | |
| Lateral Tool Transfer | Lateral Movement | Adversaries may transfer tools or other files between systems in a compromised environment. Once bro… | Edit | |
| Remote Service Session Hijacking | Lateral Movement | Adversaries may take control of preexisting sessions with remote services to move laterally in an en… | Edit | |
| Remote Service Session Hijacking: RDP Hijacking | Lateral Movement | Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an enviro… | Edit |