Threats Library
Reusable threat definitions (causes on the left side of bow-tie diagrams).
Add Threat
Tags:
clear tags
658 threats — page 1 of 14
| Name | Category | Tags | Description | |
|---|---|---|---|---|
| Archive Collected Data | Collection | An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing t… | Edit | |
| Archive Collected Data: Archive via Custom Method | Collection | An adversary may compress or encrypt data that is collected prior to exfiltration using a custom met… | Edit | |
| Archive Collected Data: Archive via Library | Collection | An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party li… | Edit | |
| Archive Collected Data: Archive via Utility | Collection | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many … | Edit | |
| Audio Capture | Collection | An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applica… | Edit | |
| Automated Collection | Collection | Once established within a system or network, an adversary may use automated techniques for collectin… | Edit | |
| Browser Session Hijacking | Collection | Adversaries may take advantage of security vulnerabilities and inherent functionality in browser sof… | Edit | |
| Clipboard Data | Collection | Adversaries may collect data stored in the clipboard from users copying information within or betwee… | Edit | |
| Data Staged | Collection | Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data … | Edit | |
| Data Staged: Local Data Staging | Collection | Adversaries may stage collected data in a central location or directory on the local system prior to… | Edit | |
| Data Staged: Remote Data Staging | Collection | Adversaries may stage data collected from multiple systems in a central location or directory on one… | Edit | |
| Data from Cloud Storage | Collection | Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data … | Edit | |
| Data from Configuration Repository | Collection | Adversaries may collect data related to managed devices from configuration repositories. Configurati… | Edit | |
| Data from Configuration Repository: Network Device Configuration Dump | Collection | Adversaries may access network configuration files to collect sensitive data about the device and th… | Edit | |
| Data from Configuration Repository: SNMP (MIB Dump) | Collection | Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable informa… | Edit | |
| Data from Information Repositories | Collection | Adversaries may leverage information repositories to mine valuable information. Information reposito… | Edit | |
| Data from Information Repositories: Code Repositories | Collection | Adversaries may leverage code repositories to collect valuable information. Code repositories are to… | Edit | |
| Data from Information Repositories: Confluence | Collection | Adversaries may leverage Confluence repositories to mine valuable information. Often found in develo… | Edit | |
| Data from Information Repositories: Customer Relationship Management Software | Collection | Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable informatio… | Edit | |
| Data from Information Repositories: Databases | Collection | Adversaries may leverage databases to mine valuable information. These databases may be hosted on-pr… | Edit | |
| Data from Information Repositories: Messaging Applications | Collection | Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and … | Edit | |
| Data from Information Repositories: Sharepoint | Collection | Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePo… | Edit | |
| Data from Local System | Collection | Adversaries may search local system sources, such as file systems, configuration files, local databa… | Edit | |
| Data from Network Shared Drive | Collection | Adversaries may search network shares on computers they have compromised to find files of interest. … | Edit | |
| Data from Removable Media | Collection | Adversaries may search connected removable media on computers they have compromised to find files of… | Edit | |
| Email Collection | Collection | Adversaries may target user email to collect sensitive information. Emails may contain sensitive dat… | Edit | |
| Email Collection: Email Forwarding Rule | Collection | Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse… | Edit | |
| Email Collection: Local Email Collection | Collection | Adversaries may target user email on local systems to collect sensitive information. Files containin… | Edit | |
| Email Collection: Remote Email Collection | Collection | Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive info… | Edit | |
| Input Capture | Collection | Adversaries may use methods of capturing user input to obtain credentials or collect information. Du… | Edit | |
| Input Capture: Credential API Hooking | Collection | Adversaries may hook into Windows application programming interface (API) functions and Linux system… | Edit | |
| Input Capture: GUI Input Capture | Collection | Adversaries may mimic common operating system GUI components to prompt users for credentials with a … | Edit | |
| Input Capture: Keylogging | Collection | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is l… | Edit | |
| Input Capture: Web Portal Capture | Collection | Adversaries may install code on externally facing portals, such as a VPN login page, to capture and … | Edit | |
| Screen Capture | Collection | Adversaries may attempt to take screen captures of the desktop to gather information over the course… | Edit | |
| Video Capture | Collection | An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or a… | Edit | |
| Application Layer Protocol | Command And Control | Adversaries may communicate using OSI application layer protocols to avoid detection/network filteri… | Edit | |
| Application Layer Protocol: DNS | Command And Control | Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid d… | Edit | |
| Application Layer Protocol: File Transfer Protocols | Command And Control | Adversaries may communicate using application layer protocols associated with transferring files to … | Edit | |
| Application Layer Protocol: Mail Protocols | Command And Control | Adversaries may communicate using application layer protocols associated with electronic mail delive… | Edit | |
| Application Layer Protocol: Publish/Subscribe Protocols | Command And Control | Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid d… | Edit | |
| Application Layer Protocol: Web Protocols | Command And Control | Adversaries may communicate using application layer protocols associated with web traffic to avoid d… | Edit | |
| Communication Through Removable Media | Command And Control | Adversaries can perform command and control between compromised hosts on potentially disconnected ne… | Edit | |
| Data Encoding | Command And Control | Adversaries may encode data to make the content of command and control traffic more difficult to det… | Edit | |
| Data Encoding: Non-Standard Encoding | Command And Control | Adversaries may encode data with a non-standard data encoding system to make the content of command … | Edit | |
| Data Encoding: Standard Encoding | Command And Control | Adversaries may encode data with a standard data encoding system to make the content of command and … | Edit | |
| Data Obfuscation | Command And Control | Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command a… | Edit | |
| Data Obfuscation: Junk Data | Command And Control | Adversaries may add junk data to protocols used for command and control to make detection more diffi… | Edit | |
| Data Obfuscation: Protocol or Service Impersonation | Command And Control | Adversaries may impersonate legitimate protocols or web service traffic to disguise command and cont… | Edit | |
| Data Obfuscation: Steganography | Command And Control | Adversaries may use steganographic techniques to hide command and control traffic to make detection … | Edit |