CAF Outcome B4.b: Secure Configuration
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You securely configure the network and information systems that support the operation of essential functions.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.b: Secure Configuration to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| PR.PT-4 | Communications and control networks are protected |
| PR.DS-5 | Protections against data leaks are implemented |
| DE.CM-5 | Unauthorized mobile code is detected |
| ID.AM-4 | External information systems are catalogued |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| PR.IP-3 | Configuration change control processes are in place |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| PR.MA-1 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools |
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Encrypt Sensitive Information
Protect sensitive information with strong encryption.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Credential Access Protection
Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.User Account Control
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.Account Use Policies
Configure features related to account use like login attempt lockouts, specific login times, etc.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Boot Integrity
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Password Policies
Set and enforce secure password policies for accounts.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Limit Software Installation
Block users or groups from installing unapproved software.Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Privileged Process Integrity
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.Environment Variable Permissions
Prevent modification of environment variables by unauthorized users and groups.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Strength of password-based authentication (SR 1.7)
ISA/IEC 62443-3-3:2013 -
Authenticator feedback (SR 1.10)
ISA/IEC 62443-3-3:2013 -
Mobile code (SR 2.4)
ISA/IEC 62443-3-3:2013 -
General purpose person-to-person communication restrictions (SR 5.3)
ISA/IEC 62443-3-3:2013 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
Unsuccessful login attempts (SR 1.11)
ISA/IEC 62443-3-3:2013 -
Least functionality (SR 7.7)
ISA/IEC 62443-3-3:2013 -
Input validation (SR 3.5)
ISA/IEC 62443-3-3:2013 -
Disable access account after failed remote login attempts (4.3.3.6.7)
ISA/IEC 62443-2-1:2009 -
Identify the industrial automation and control systems (4.2.3.4)
ISA/IEC 62443-2-1:2009 -
Establish and document a patch management procedure (4.3.4.3.7)
ISA/IEC 62443-2-1:2009 -
Integrate cyber security and process safety management (PSM) change management procedures (4.3.4.3.5)
ISA/IEC 62443-2-1:2009 -
Change default passwords (4.3.3.5.7)
ISA/IEC 62443-2-1:2009 -
Require re-authentication after remote system inactivity (4.3.3.6.8)
ISA/IEC 62443-2-1:2009 -
Define and test security functions and capabilities (4.3.4.3.1)
ISA/IEC 62443-2-1:2009 -
Control system component inventory (SR 7.8)
ISA/IEC 62443-3-3:2013 -
Concurrent session control (SR 2.7)
ISA/IEC 62443-3-3:2013 -
Network and security configuration settings (SR 7.6)
ISA/IEC 62443-3-3:2013 -
Wireless use control (SR 2.2)
ISA/IEC 62443-3-3:2013 -
Session lock (SR 2.5)
ISA/IEC 62443-3-3:2013 -
Use control for portable and mobile devices (SR 2.3)
ISA/IEC 62443-3-3:2013 -
Software and information integrity (SR 3.4)
ISA/IEC 62443-3-3:2013
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Restrictions on software installation (12.6.2)
ISO 27001:2013 -
System changes control procedures (14.2.2)
ISO 27001:2013 -
Verify, review, and evaluate information security continuity (17.1.3)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Technical review of applications after operating platform changes (14.2.3)
ISO 27001:2013 -
Installation of software on operational systems (12.5.1)
ISO 27001:2013 -
Restrictions on changes to software packages (14.2.4)
ISO 27001:2013 -
Controls against malware (12.2.1)
ISO 27001:2013 -
Secure development environment (14.2.6)
ISO 27001:2013 -
Change management (12.1.2)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1114.002 | Remote Email Collection | Collection |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1003 | OS Credential Dumping | Credential Access |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1565.001 | Stored Data Manipulation | Impact |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1659 | Content Injection | Command and Control, Initial Access |
| T1114 | Email Collection | Collection |
| T1565 | Data Manipulation | Impact |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1552 | Unsecured Credentials | Credential Access |
| T1602 | Data from Configuration Repository | Collection |
| T1558.002 | Silver Ticket | Credential Access |
| T1114.001 | Local Email Collection | Collection |
| T1119 | Automated Collection | Collection |
| T1114.003 | Email Forwarding Rule | Collection |
| T1003.003 | NTDS | Credential Access |
| T1552.004 | Private Keys | Credential Access |
| T1070 | Indicator Removal | Defense Evasion |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1530 | Data from Cloud Storage | Collection |
| T1558.003 | Kerberoasting | Credential Access |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1552.001 | Credentials In Files | Credential Access |
| T1036 | Masquerading | Defense Evasion |
| T1569 | System Services | Execution |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1489 | Service Stop | Impact |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1569.002 | Service Execution | Execution |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
| T1070.003 | Clear Command History | Defense Evasion |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1218.002 | Control Panel | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1037.002 | Login Hook | Persistence, Privilege Escalation |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1204.003 | Malicious Image | Execution |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1505.004 | IIS Components | Persistence |
| T1560 | Archive Collected Data | Collection |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1593.003 | Code Repositories | Reconnaissance |
| T1606.001 | Web Cookies | Credential Access |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1578.005 | Modify Cloud Compute Configurations | Defense Evasion |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1087.004 | Cloud Account | Discovery |
| T1176 | Browser Extensions | Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1562.012 | Disable or Modify Linux Audit System | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1059.006 | Python | Execution |
| T1653 | Power Settings | Persistence |
| T1505 | Server Software Component | Persistence |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1612 | Build Image on Host | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1566.002 | Spearphishing Link | Initial Access |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1528 | Steal Application Access Token | Credential Access |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1027.011 | Fileless Storage | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1606.002 | SAML Tokens | Credential Access |
| T1606 | Forge Web Credentials | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1552.008 | Chat Messages | Credential Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1482 | Domain Trust Discovery | Discovery |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1213.001 | Confluence | Collection |
| T1552.002 | Credentials in Registry | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1021.005 | VNC | Lateral Movement |
| T1556.008 | Network Provider DLL | Credential Access, Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1566 | Phishing | Initial Access |
| T1568 | Dynamic Resolution | Command and Control |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1567.003 | Exfiltration to Text Storage Sites | Exfiltration |
| T1218.001 | Compiled HTML File | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1102 | Web Service | Command and Control |
| T1204 | User Execution | Execution |
| T1204.001 | Malicious Link | Execution |
| T1059 | Command and Scripting Interpreter | Execution |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1567.001 | Exfiltration to Code Repository | Exfiltration |
| T1189 | Drive-by Compromise | Initial Access |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1102.003 | One-Way Communication | Command and Control |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1059.007 | JavaScript | Execution |
| T1552.007 | Container API | Credential Access |
| T1654 | Log Enumeration | Discovery |
| T1609 | Container Administration Command | Execution |
| T1490 | Inhibit System Recovery | Impact |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1021.008 | Direct Cloud VM Connections | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1548.005 | Temporary Elevated Cloud Access | Defense Evasion, Privilege Escalation |
| T1110.004 | Credential Stuffing | Credential Access |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1569.001 | Launchctl | Execution |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1098.006 | Additional Container Cluster Roles | Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1648 | Serverless Execution | Execution |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1110 | Brute Force | Credential Access |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1538 | Cloud Service Dashboard | Discovery |
| T1059.008 | Network Device CLI | Execution |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1657 | Financial Theft | Impact |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1021.004 | SSH | Lateral Movement |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1613 | Container and Resource Discovery | Discovery |
| T1006 | Direct Volume Access | Defense Evasion |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1200 | Hardware Additions | Initial Access |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1137.005 | Outlook Rules | Persistence |
| T1216.001 | PubPrn | Defense Evasion |
| T1204.002 | Malicious File | Execution |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1055.015 | ListPlanting | Defense Evasion, Privilege Escalation |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1137 | Office Application Startup | Persistence |
| T1003.001 | LSASS Memory | Credential Access |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1137.004 | Outlook Home Page | Persistence |
| T1137.003 | Outlook Forms | Persistence |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1486 | Data Encrypted for Impact | Impact |
| T1559 | Inter-Process Communication | Execution |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1574.013 | KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
| T1137.002 | Office Test | Persistence |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1055.011 | Extra Window Memory Injection | Defense Evasion, Privilege Escalation |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1137.006 | Add-ins | Persistence |
| T1106 | Native API | Execution |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
| T1601.001 | Patch System Image | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1546.011 | Application Shimming | Persistence, Privilege Escalation |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1110.001 | Password Guessing | Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1558.001 | Golden Ticket | Credential Access |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1495 | Firmware Corruption | Impact |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1087.001 | Local Account | Discovery |
| T1092 | Communication Through Removable Media | Command and Control |
| T1136 | Create Account | Persistence |
| T1003.002 | Security Account Manager | Credential Access |
| T1087 | Account Discovery | Discovery |
| T1135 | Network Share Discovery | Discovery |
| T1011 | Exfiltration Over Other Network Medium | Exfiltration |
| T1556.002 | Password Filter DLL | Credential Access, Defense Evasion, Persistence |
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1548.001 | Setuid and Setgid | Defense Evasion, Privilege Escalation |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1136.002 | Domain Account | Persistence |
| T1087.002 | Domain Account | Discovery |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.003 | Bash History | Credential Access |
| T1564.002 | Hidden Users | Defense Evasion |
| T1036.007 | Double File Extension | Defense Evasion |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1218.005 | Mshta | Defense Evasion |
| T1127.001 | MSBuild | Defense Evasion |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1218.004 | InstallUtil | Defense Evasion |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1553.005 | Mark-of-the-Web Bypass | Defense Evasion |
| T1218.007 | Msiexec | Defense Evasion |
| T1564.007 | VBA Stomping | Defense Evasion |
| T1218.013 | Mavinject | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1546.014 | Emond | Persistence, Privilege Escalation |
| T1611 | Escape to Host | Privilege Escalation |
| T1221 | Template Injection | Defense Evasion |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1555.004 | Windows Credential Manager | Credential Access |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1218.014 | MMC | Defense Evasion |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1218.003 | CMSTP | Defense Evasion |
| T1218.012 | Verclsid | Defense Evasion |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1046 | Network Service Discovery | Discovery |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1562.010 | Downgrade Attack | Defense Evasion |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1218.008 | Odbcconf | Defense Evasion |
| T1564.006 | Run Virtual Instance | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1187 | Forced Authentication | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1110.002 | Password Cracking | Credential Access |
| T1555.005 | Password Managers | Credential Access |
| T1003.004 | LSA Secrets | Credential Access |
| T1003.007 | Proc Filesystem | Credential Access |
| T1556.005 | Reversible Encryption | Credential Access, Defense Evasion, Persistence |
| T1555 | Credentials from Password Stores | Credential Access |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1555.001 | Keychain | Credential Access |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1554 | Compromise Client Software Binary | Persistence |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.002 | AppleScript | Execution |
| T1203 | Exploitation for Client Execution | Execution |
| T1559.001 | Component Object Model | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1027.006 | HTML Smuggling | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1571 | Non-Standard Port | Command and Control |
| T1136.003 | Cloud Account | Persistence |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1547.002 | Authentication Package | Persistence, Privilege Escalation |
| T1547.005 | Security Support Provider | Persistence, Privilege Escalation |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |