66 lines
4.5 KiB
JSON
66 lines
4.5 KiB
JSON
[
|
|
{
|
|
"Id": "T1003",
|
|
"Name": "Credential Dumping",
|
|
"Type": "Credential Access",
|
|
"Description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.",
|
|
"URL": "https://attack.mitre.org/techniques/T1003"
|
|
},
|
|
{
|
|
"Id": "T1012",
|
|
"Name": "Query Registry",
|
|
"Type": "Discovery",
|
|
"Description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
|
|
"URL": "https://attack.mitre.org/techniques/T1012"
|
|
},
|
|
{
|
|
"Id": "T1059",
|
|
"Name": "Command-Line Interface",
|
|
"Type": "Execution",
|
|
"Description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).",
|
|
"URL": "https://attack.mitre.org/techniques/T1059"
|
|
},
|
|
{
|
|
"Id": "T1060",
|
|
"Name": "Registry Run Keys / Startup Folder",
|
|
"Type": "Persistence",
|
|
"Description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account\u0027s associated permissions level.",
|
|
"URL": "https://attack.mitre.org/techniques/T1060"
|
|
},
|
|
{
|
|
"Id": "T1081",
|
|
"Name": "Credentials in Files",
|
|
"Type": "Credential Access",
|
|
"Description": "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
|
|
"URL": "https://attack.mitre.org/techniques/T1081"
|
|
},
|
|
{
|
|
"Id": "T1082",
|
|
"Name": "System Information Discovery",
|
|
"Type": "Discovery",
|
|
"Description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.",
|
|
"URL": "https://attack.mitre.org/techniques/T1082"
|
|
},
|
|
{
|
|
"Id": "T1106",
|
|
"Name": "Execution through API",
|
|
"Type": "Execution",
|
|
"Description": "Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.",
|
|
"URL": "https://attack.mitre.org/techniques/T1106"
|
|
},
|
|
{
|
|
"Id": "T1129",
|
|
"Name": "Execution through Module Load",
|
|
"Type": "Execution",
|
|
"Description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.",
|
|
"URL": "https://attack.mitre.org/techniques/T1129"
|
|
},
|
|
{
|
|
"Id": "T1140",
|
|
"Name": "Deobfuscate/Decode Files or Information",
|
|
"Type": "Defense Evasion",
|
|
"Description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.",
|
|
"URL": "https://attack.mitre.org/techniques/T1140"
|
|
}
|
|
]
|