[ { "Id": "T1012", "Name": "Query Registry", "Type": "Discovery", "Description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.", "URL": "https://attack.mitre.org/techniques/T1012" }, { "Id": "T1018", "Name": "Remote System Discovery", "Type": "Discovery", "Description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.", "URL": "https://attack.mitre.org/techniques/T1018" }, { "Id": "T1059", "Name": "Command-Line Interface", "Type": "Execution", "Description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).", "URL": "https://attack.mitre.org/techniques/T1059" }, { "Id": "T1060", "Name": "Registry Run Keys / Startup Folder", "Type": "Persistence", "Description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account\u0027s associated permissions level.", "URL": "https://attack.mitre.org/techniques/T1060" }, { "Id": "T1130", "Name": "Install Root Certificate", "Type": "Defense Evasion", "Description": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root\u0027s chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.", "URL": "https://attack.mitre.org/techniques/T1130" }, { "Id": "T1135", "Name": "Network Share Discovery", "Type": "Discovery", "Description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.", "URL": "https://attack.mitre.org/techniques/T1135" }, { "Id": "T1204", "Name": "User Execution", "Type": "Execution", "Description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user\u0027s desktop hoping that a user will click on it.", "URL": "https://attack.mitre.org/techniques/T1204" } ]