Created
January 31, 2022 18:29
-
-
Save wietze/41b0a00ce9068b11e2879b6ecdf019ad to your computer and use it in GitHub Desktop.
MITRE ATT&CK - LaTeX functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
\usepackage{hyperref} | |
\usepackage{xstring} | |
\DeclareRobustCommand{\tid}[1]{\StrSubstitute{#1}{.}{/}[\temp]% | |
\href{https://attack.mitre.org/techniques/\temp/}{#1}} | |
% \tid{T1234} returns 'T1234' with a hyperlink to its MITRE ATT&CK page | |
\DeclareRobustCommand{\tidtext}[1]{\StrSubstitute{#1}{.}{/}[\temp]% | |
\href{https://attack.mitre.org/techniques/\temp/}{#1}: \gettid{#1}} | |
% \tidtext{T1234} returns 'T1234: Technique Name' with T1234 containing a hyperlink to its MITRE ATT&CK page | |
\DeclareRobustCommand{\texttid}[1]{\StrSubstitute{#1}{.}{/}[\temp]% | |
\gettid{#1} (\href{https://attack.mitre.org/techniques/\temp/}{#1})} | |
% \texttid{T1234} returns 'Technique Name (T1234)' with T1234 containing a hyperlink to its MITRE ATT&CK page | |
\makeatletter | |
\newcommand\deftid[1]{\@namedef{tid_#1}} | |
\newcommand\gettid[1]{\@nameuse{tid_#1}} | |
\makeatother | |
\deftid{T1001.001}{Junk Data} | |
\deftid{T1001.002}{Steganography} | |
\deftid{T1001.003}{Protocol Impersonation} | |
\deftid{T1001}{Data Obfuscation} | |
\deftid{T1002}{Data Compressed} | |
\deftid{T1003.001}{LSASS Memory} | |
\deftid{T1003.002}{Security Account Manager} | |
\deftid{T1003.003}{NTDS} | |
\deftid{T1003.004}{LSA Secrets} | |
\deftid{T1003.005}{Cached Domain Credentials} | |
\deftid{T1003.006}{DCSync} | |
\deftid{T1003.007}{Proc Filesystem} | |
\deftid{T1003.008}{/etc/passwd and /etc/shadow} | |
\deftid{T1003}{OS Credential Dumping} | |
\deftid{T1004}{Winlogon Helper DLL} | |
\deftid{T1005}{Data from Local System} | |
\deftid{T1006}{Direct Volume Access} | |
\deftid{T1007}{System Service Discovery} | |
\deftid{T1008}{Fallback Channels} | |
\deftid{T1009}{Binary Padding} | |
\deftid{T1010}{Application Window Discovery} | |
\deftid{T1011.001}{Exfiltration Over Bluetooth} | |
\deftid{T1011}{Exfiltration Over Other Network Medium} | |
\deftid{T1012}{Query Registry} | |
\deftid{T1013}{Port Monitors} | |
\deftid{T1014}{Rootkit} | |
\deftid{T1015}{Accessibility Features} | |
\deftid{T1016.001}{Internet Connection Discovery} | |
\deftid{T1016}{System Network Configuration Discovery} | |
\deftid{T1017}{Application Deployment Software} | |
\deftid{T1018}{Remote System Discovery} | |
\deftid{T1019}{System Firmware} | |
\deftid{T1020.001}{Traffic Duplication} | |
\deftid{T1020}{Automated Exfiltration} | |
\deftid{T1021.001}{Remote Desktop Protocol} | |
\deftid{T1021.002}{SMB/Windows Admin Shares} | |
\deftid{T1021.003}{Distributed Component Object Model} | |
\deftid{T1021.004}{SSH} | |
\deftid{T1021.005}{VNC} | |
\deftid{T1021.006}{Windows Remote Management} | |
\deftid{T1021}{Remote Services} | |
\deftid{T1022}{Data Encrypted} | |
\deftid{T1023}{Shortcut Modification} | |
\deftid{T1024}{Custom Cryptographic Protocol} | |
\deftid{T1025}{Data from Removable Media} | |
\deftid{T1026}{Multiband Communication} | |
\deftid{T1027.001}{Binary Padding} | |
\deftid{T1027.002}{Software Packing} | |
\deftid{T1027.003}{Steganography} | |
\deftid{T1027.004}{Compile After Delivery} | |
\deftid{T1027.005}{Indicator Removal from Tools} | |
\deftid{T1027.006}{HTML Smuggling} | |
\deftid{T1027}{Obfuscated Files or Information} | |
\deftid{T1028}{Windows Remote Management} | |
\deftid{T1029}{Scheduled Transfer} | |
\deftid{T1030}{Data Transfer Size Limits} | |
\deftid{T1031}{Modify Existing Service} | |
\deftid{T1032}{Standard Cryptographic Protocol} | |
\deftid{T1033}{System Owner/User Discovery} | |
\deftid{T1034}{Path Interception} | |
\deftid{T1035}{Service Execution} | |
\deftid{T1036.001}{Invalid Code Signature} | |
\deftid{T1036.002}{Right-to-Left Override} | |
\deftid{T1036.003}{Rename System Utilities} | |
\deftid{T1036.004}{Masquerade Task or Service} | |
\deftid{T1036.005}{Match Legitimate Name or Location} | |
\deftid{T1036.006}{Space after Filename} | |
\deftid{T1036.007}{Double File Extension} | |
\deftid{T1036}{Masquerading} | |
\deftid{T1037.001}{Logon Script (Windows)} | |
\deftid{T1037.002}{Logon Script (Mac)} | |
\deftid{T1037.003}{Network Logon Script} | |
\deftid{T1037.004}{RC Scripts} | |
\deftid{T1037.005}{Startup Items} | |
\deftid{T1037}{Boot or Logon Initialization Scripts} | |
\deftid{T1038}{DLL Search Order Hijacking} | |
\deftid{T1039}{Data from Network Shared Drive} | |
\deftid{T1040}{Network Sniffing} | |
\deftid{T1041}{Exfiltration Over C2 Channel} | |
\deftid{T1042}{Change Default File Association} | |
\deftid{T1043}{Commonly Used Port} | |
\deftid{T1044}{File System Permissions Weakness} | |
\deftid{T1045}{Software Packing} | |
\deftid{T1046}{Network Service Scanning} | |
\deftid{T1047}{Windows Management Instrumentation} | |
\deftid{T1048.001}{Exfiltration Over Symmetric Encrypted Non-C2 Protocol} | |
\deftid{T1048.002}{Exfiltration Over Asymmetric Encrypted Non-C2 Protocol} | |
\deftid{T1048.003}{Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol} | |
\deftid{T1048}{Exfiltration Over Alternative Protocol} | |
\deftid{T1049}{System Network Connections Discovery} | |
\deftid{T1050}{New Service} | |
\deftid{T1051}{Shared Webroot} | |
\deftid{T1052.001}{Exfiltration over USB} | |
\deftid{T1052}{Exfiltration Over Physical Medium} | |
\deftid{T1053.001}{At (Linux)} | |
\deftid{T1053.002}{At (Windows)} | |
\deftid{T1053.003}{Cron} | |
\deftid{T1053.004}{Launchd} | |
\deftid{T1053.005}{Scheduled Task} | |
\deftid{T1053.006}{Systemd Timers} | |
\deftid{T1053.007}{Container Orchestration Job} | |
\deftid{T1053}{Scheduled Task/Job} | |
\deftid{T1054}{Indicator Blocking} | |
\deftid{T1055.001}{Dynamic-link Library Injection} | |
\deftid{T1055.002}{Portable Executable Injection} | |
\deftid{T1055.003}{Thread Execution Hijacking} | |
\deftid{T1055.004}{Asynchronous Procedure Call} | |
\deftid{T1055.005}{Thread Local Storage} | |
\deftid{T1055.008}{Ptrace System Calls} | |
\deftid{T1055.009}{Proc Memory} | |
\deftid{T1055.011}{Extra Window Memory Injection} | |
\deftid{T1055.012}{Process Hollowing} | |
\deftid{T1055.013}{Process Doppelgänging} | |
\deftid{T1055.014}{VDSO Hijacking} | |
\deftid{T1055}{Process Injection} | |
\deftid{T1056.001}{Keylogging} | |
\deftid{T1056.002}{GUI Input Capture} | |
\deftid{T1056.003}{Web Portal Capture} | |
\deftid{T1056.004}{Credential API Hooking} | |
\deftid{T1056}{Input Capture} | |
\deftid{T1057}{Process Discovery} | |
\deftid{T1058}{Service Registry Permissions Weakness} | |
\deftid{T1059.001}{PowerShell} | |
\deftid{T1059.002}{AppleScript} | |
\deftid{T1059.003}{Windows Command Shell} | |
\deftid{T1059.004}{Unix Shell} | |
\deftid{T1059.005}{Visual Basic} | |
\deftid{T1059.006}{Python} | |
\deftid{T1059.007}{JavaScript} | |
\deftid{T1059.008}{Network Device CLI} | |
\deftid{T1059}{Command and Scripting Interpreter} | |
\deftid{T1060}{Registry Run Keys / Startup Folder} | |
\deftid{T1061}{Graphical User Interface} | |
\deftid{T1062}{Hypervisor} | |
\deftid{T1063}{Security Software Discovery} | |
\deftid{T1064}{Scripting} | |
\deftid{T1065}{Uncommonly Used Port} | |
\deftid{T1066}{Indicator Removal from Tools} | |
\deftid{T1067}{Bootkit} | |
\deftid{T1068}{Exploitation for Privilege Escalation} | |
\deftid{T1069.001}{Local Groups} | |
\deftid{T1069.002}{Domain Groups} | |
\deftid{T1069.003}{Cloud Groups} | |
\deftid{T1069}{Permission Groups Discovery} | |
\deftid{T1070.001}{Clear Windows Event Logs} | |
\deftid{T1070.002}{Clear Linux or Mac System Logs} | |
\deftid{T1070.003}{Clear Command History} | |
\deftid{T1070.004}{File Deletion} | |
\deftid{T1070.005}{Network Share Connection Removal} | |
\deftid{T1070.006}{Timestomp} | |
\deftid{T1070}{Indicator Removal on Host} | |
\deftid{T1071.001}{Web Protocols} | |
\deftid{T1071.002}{File Transfer Protocols} | |
\deftid{T1071.003}{Mail Protocols} | |
\deftid{T1071.004}{DNS} | |
\deftid{T1071}{Application Layer Protocol} | |
\deftid{T1072}{Software Deployment Tools} | |
\deftid{T1073}{DLL Side-Loading} | |
\deftid{T1074.001}{Local Data Staging} | |
\deftid{T1074.002}{Remote Data Staging} | |
\deftid{T1074}{Data Staged} | |
\deftid{T1075}{Pass the Hash} | |
\deftid{T1076}{Remote Desktop Protocol} | |
\deftid{T1077}{Windows Admin Shares} | |
\deftid{T1078.001}{Default Accounts} | |
\deftid{T1078.002}{Domain Accounts} | |
\deftid{T1078.003}{Local Accounts} | |
\deftid{T1078.004}{Cloud Accounts} | |
\deftid{T1078}{Valid Accounts} | |
\deftid{T1079}{Multilayer Encryption} | |
\deftid{T1080}{Taint Shared Content} | |
\deftid{T1081}{Credentials in Files} | |
\deftid{T1082}{System Information Discovery} | |
\deftid{T1083}{File and Directory Discovery} | |
\deftid{T1084}{Windows Management Instrumentation Event Subscription} | |
\deftid{T1085}{Rundll32} | |
\deftid{T1086}{PowerShell} | |
\deftid{T1087.001}{Local Account} | |
\deftid{T1087.002}{Domain Account} | |
\deftid{T1087.003}{Email Account} | |
\deftid{T1087.004}{Cloud Account} | |
\deftid{T1087}{Account Discovery} | |
\deftid{T1088}{Bypass User Account Control} | |
\deftid{T1089}{Disabling Security Tools} | |
\deftid{T1090.001}{Internal Proxy} | |
\deftid{T1090.002}{External Proxy} | |
\deftid{T1090.003}{Multi-hop Proxy} | |
\deftid{T1090.004}{Domain Fronting} | |
\deftid{T1090}{Proxy} | |
\deftid{T1091}{Replication Through Removable Media} | |
\deftid{T1092}{Communication Through Removable Media} | |
\deftid{T1093}{Process Hollowing} | |
\deftid{T1094}{Custom Command and Control Protocol} | |
\deftid{T1095}{Non-Application Layer Protocol} | |
\deftid{T1096}{NTFS File Attributes} | |
\deftid{T1097}{Pass the Ticket} | |
\deftid{T1098.001}{Additional Cloud Credentials} | |
\deftid{T1098.002}{Exchange Email Delegate Permissions} | |
\deftid{T1098.003}{Add Office 365 Global Administrator Role} | |
\deftid{T1098.004}{SSH Authorized Keys} | |
\deftid{T1098}{Account Manipulation} | |
\deftid{T1099}{Timestomp} | |
\deftid{T1100}{Web Shell} | |
\deftid{T1101}{Security Support Provider} | |
\deftid{T1102.001}{Dead Drop Resolver} | |
\deftid{T1102.002}{Bidirectional Communication} | |
\deftid{T1102.003}{One-Way Communication} | |
\deftid{T1102}{Web Service} | |
\deftid{T1103}{AppInit DLLs} | |
\deftid{T1104}{Multi-Stage Channels} | |
\deftid{T1105}{Ingress Tool Transfer} | |
\deftid{T1106}{Native API} | |
\deftid{T1107}{File Deletion} | |
\deftid{T1108}{Redundant Access} | |
\deftid{T1109}{Component Firmware} | |
\deftid{T1110.001}{Password Guessing} | |
\deftid{T1110.002}{Password Cracking} | |
\deftid{T1110.003}{Password Spraying} | |
\deftid{T1110.004}{Credential Stuffing} | |
\deftid{T1110}{Brute Force} | |
\deftid{T1111}{Two-Factor Authentication Interception} | |
\deftid{T1112}{Modify Registry} | |
\deftid{T1113}{Screen Capture} | |
\deftid{T1114.001}{Local Email Collection} | |
\deftid{T1114.002}{Remote Email Collection} | |
\deftid{T1114.003}{Email Forwarding Rule} | |
\deftid{T1114}{Email Collection} | |
\deftid{T1115}{Clipboard Data} | |
\deftid{T1116}{Code Signing} | |
\deftid{T1117}{Regsvr32} | |
\deftid{T1118}{InstallUtil} | |
\deftid{T1119}{Automated Collection} | |
\deftid{T1120}{Peripheral Device Discovery} | |
\deftid{T1121}{Regsvcs/Regasm} | |
\deftid{T1122}{Component Object Model Hijacking} | |
\deftid{T1123}{Audio Capture} | |
\deftid{T1124}{System Time Discovery} | |
\deftid{T1125}{Video Capture} | |
\deftid{T1126}{Network Share Connection Removal} | |
\deftid{T1127.001}{MSBuild} | |
\deftid{T1127}{Trusted Developer Utilities Proxy Execution} | |
\deftid{T1128}{Netsh Helper DLL} | |
\deftid{T1129}{Shared Modules} | |
\deftid{T1130}{Install Root Certificate} | |
\deftid{T1131}{Authentication Package} | |
\deftid{T1132.001}{Standard Encoding} | |
\deftid{T1132.002}{Non-Standard Encoding} | |
\deftid{T1132}{Data Encoding} | |
\deftid{T1133}{External Remote Services} | |
\deftid{T1134.001}{Token Impersonation/Theft} | |
\deftid{T1134.002}{Create Process with Token} | |
\deftid{T1134.003}{Make and Impersonate Token} | |
\deftid{T1134.004}{Parent PID Spoofing} | |
\deftid{T1134.005}{SID-History Injection} | |
\deftid{T1134}{Access Token Manipulation} | |
\deftid{T1135}{Network Share Discovery} | |
\deftid{T1136.001}{Local Account} | |
\deftid{T1136.002}{Domain Account} | |
\deftid{T1136.003}{Cloud Account} | |
\deftid{T1136}{Create Account} | |
\deftid{T1137.001}{Office Template Macros} | |
\deftid{T1137.002}{Office Test} | |
\deftid{T1137.003}{Outlook Forms} | |
\deftid{T1137.004}{Outlook Home Page} | |
\deftid{T1137.005}{Outlook Rules} | |
\deftid{T1137.006}{Add-ins} | |
\deftid{T1137}{Office Application Startup} | |
\deftid{T1138}{Application Shimming} | |
\deftid{T1139}{Bash History} | |
\deftid{T1140}{Deobfuscate/Decode Files or Information} | |
\deftid{T1141}{Input Prompt} | |
\deftid{T1142}{Keychain} | |
\deftid{T1143}{Hidden Window} | |
\deftid{T1144}{Gatekeeper Bypass} | |
\deftid{T1145}{Private Keys} | |
\deftid{T1146}{Clear Command History} | |
\deftid{T1147}{Hidden Users} | |
\deftid{T1148}{HISTCONTROL} | |
\deftid{T1149}{LC_MAIN Hijacking} | |
\deftid{T1150}{Plist Modification} | |
\deftid{T1151}{Space after Filename} | |
\deftid{T1152}{Launchctl} | |
\deftid{T1153}{Source} | |
\deftid{T1154}{Trap} | |
\deftid{T1155}{AppleScript} | |
\deftid{T1156}{Malicious Shell Modification} | |
\deftid{T1157}{Dylib Hijacking} | |
\deftid{T1158}{Hidden Files and Directories} | |
\deftid{T1159}{Launch Agent} | |
\deftid{T1160}{Launch Daemon} | |
\deftid{T1161}{LC_LOAD_DYLIB Addition} | |
\deftid{T1162}{Login Item} | |
\deftid{T1163}{Rc.common} | |
\deftid{T1164}{Re-opened Applications} | |
\deftid{T1165}{Startup Items} | |
\deftid{T1166}{Setuid and Setgid} | |
\deftid{T1167}{Securityd Memory} | |
\deftid{T1168}{Local Job Scheduling} | |
\deftid{T1169}{Sudo} | |
\deftid{T1170}{Mshta} | |
\deftid{T1171}{LLMNR/NBT-NS Poisoning and Relay} | |
\deftid{T1172}{Domain Fronting} | |
\deftid{T1173}{Dynamic Data Exchange} | |
\deftid{T1174}{Password Filter DLL} | |
\deftid{T1175}{Component Object Model and Distributed COM} | |
\deftid{T1176}{Browser Extensions} | |
\deftid{T1177}{LSASS Driver} | |
\deftid{T1178}{SID-History Injection} | |
\deftid{T1179}{Hooking} | |
\deftid{T1180}{Screensaver} | |
\deftid{T1181}{Extra Window Memory Injection} | |
\deftid{T1182}{AppCert DLLs} | |
\deftid{T1183}{Image File Execution Options Injection} | |
\deftid{T1184}{SSH Hijacking} | |
\deftid{T1185}{Browser Session Hijacking} | |
\deftid{T1186}{Process Doppelgänging} | |
\deftid{T1187}{Forced Authentication} | |
\deftid{T1188}{Multi-hop Proxy} | |
\deftid{T1189}{Drive-by Compromise} | |
\deftid{T1190}{Exploit Public-Facing Application} | |
\deftid{T1191}{CMSTP} | |
\deftid{T1192}{Spearphishing Link} | |
\deftid{T1193}{Spearphishing Attachment} | |
\deftid{T1194}{Spearphishing via Service} | |
\deftid{T1195.001}{Compromise Software Dependencies and Development Tools} | |
\deftid{T1195.002}{Compromise Software Supply Chain} | |
\deftid{T1195.003}{Compromise Hardware Supply Chain} | |
\deftid{T1195}{Supply Chain Compromise} | |
\deftid{T1196}{Control Panel Items} | |
\deftid{T1197}{BITS Jobs} | |
\deftid{T1198}{SIP and Trust Provider Hijacking} | |
\deftid{T1199}{Trusted Relationship} | |
\deftid{T1200}{Hardware Additions} | |
\deftid{T1201}{Password Policy Discovery} | |
\deftid{T1202}{Indirect Command Execution} | |
\deftid{T1203}{Exploitation for Client Execution} | |
\deftid{T1204.001}{Malicious Link} | |
\deftid{T1204.002}{Malicious File} | |
\deftid{T1204.003}{Malicious Image} | |
\deftid{T1204}{User Execution} | |
\deftid{T1205.001}{Port Knocking} | |
\deftid{T1205}{Traffic Signaling} | |
\deftid{T1206}{Sudo Caching} | |
\deftid{T1207}{Rogue Domain Controller} | |
\deftid{T1208}{Kerberoasting} | |
\deftid{T1209}{Time Providers} | |
\deftid{T1210}{Exploitation of Remote Services} | |
\deftid{T1211}{Exploitation for Defense Evasion} | |
\deftid{T1212}{Exploitation for Credential Access} | |
\deftid{T1213.001}{Confluence} | |
\deftid{T1213.002}{Sharepoint} | |
\deftid{T1213.003}{Code Repositories} | |
\deftid{T1213}{Data from Information Repositories} | |
\deftid{T1214}{Credentials in Registry} | |
\deftid{T1215}{Kernel Modules and Extensions} | |
\deftid{T1216.001}{PubPrn} | |
\deftid{T1216}{Signed Script Proxy Execution} | |
\deftid{T1217}{Browser Bookmark Discovery} | |
\deftid{T1218.001}{Compiled HTML File} | |
\deftid{T1218.002}{Control Panel} | |
\deftid{T1218.003}{CMSTP} | |
\deftid{T1218.004}{InstallUtil} | |
\deftid{T1218.005}{Mshta} | |
\deftid{T1218.007}{Msiexec} | |
\deftid{T1218.008}{Odbcconf} | |
\deftid{T1218.009}{Regsvcs/Regasm} | |
\deftid{T1218.010}{Regsvr32} | |
\deftid{T1218.011}{Rundll32} | |
\deftid{T1218.012}{Verclsid} | |
\deftid{T1218.013}{Mavinject} | |
\deftid{T1218.014}{MMC} | |
\deftid{T1218}{Signed Binary Proxy Execution} | |
\deftid{T1219}{Remote Access Software} | |
\deftid{T1220}{XSL Script Processing} | |
\deftid{T1221}{Template Injection} | |
\deftid{T1222.001}{Windows File and Directory Permissions Modification} | |
\deftid{T1222.002}{Linux and Mac File and Directory Permissions Modification} | |
\deftid{T1222}{File and Directory Permissions Modification} | |
\deftid{T1223}{Compiled HTML File} | |
\deftid{T1480.001}{Environmental Keying} | |
\deftid{T1480}{Execution Guardrails} | |
\deftid{T1482}{Domain Trust Discovery} | |
\deftid{T1483}{Domain Generation Algorithms} | |
\deftid{T1484.001}{Group Policy Modification} | |
\deftid{T1484.002}{Domain Trust Modification} | |
\deftid{T1484}{Domain Policy Modification} | |
\deftid{T1485}{Data Destruction} | |
\deftid{T1486}{Data Encrypted for Impact} | |
\deftid{T1487}{Disk Structure Wipe} | |
\deftid{T1488}{Disk Content Wipe} | |
\deftid{T1489}{Service Stop} | |
\deftid{T1490}{Inhibit System Recovery} | |
\deftid{T1491.001}{Internal Defacement} | |
\deftid{T1491.002}{External Defacement} | |
\deftid{T1491}{Defacement} | |
\deftid{T1492}{Stored Data Manipulation} | |
\deftid{T1493}{Transmitted Data Manipulation} | |
\deftid{T1494}{Runtime Data Manipulation} | |
\deftid{T1495}{Firmware Corruption} | |
\deftid{T1496}{Resource Hijacking} | |
\deftid{T1497.001}{System Checks} | |
\deftid{T1497.002}{User Activity Based Checks} | |
\deftid{T1497.003}{Time Based Evasion} | |
\deftid{T1497}{Virtualization/Sandbox Evasion} | |
\deftid{T1498.001}{Direct Network Flood} | |
\deftid{T1498.002}{Reflection Amplification} | |
\deftid{T1498}{Network Denial of Service} | |
\deftid{T1499.001}{OS Exhaustion Flood} | |
\deftid{T1499.002}{Service Exhaustion Flood} | |
\deftid{T1499.003}{Application Exhaustion Flood} | |
\deftid{T1499.004}{Application or System Exploitation} | |
\deftid{T1499}{Endpoint Denial of Service} | |
\deftid{T1500}{Compile After Delivery} | |
\deftid{T1501}{Systemd Service} | |
\deftid{T1502}{Parent PID Spoofing} | |
\deftid{T1503}{Credentials from Web Browsers} | |
\deftid{T1504}{PowerShell Profile} | |
\deftid{T1505.001}{SQL Stored Procedures} | |
\deftid{T1505.002}{Transport Agent} | |
\deftid{T1505.003}{Web Shell} | |
\deftid{T1505.004}{IIS Components} | |
\deftid{T1505}{Server Software Component} | |
\deftid{T1506}{Web Session Cookie} | |
\deftid{T1514}{Elevated Execution with Prompt} | |
\deftid{T1518.001}{Security Software Discovery} | |
\deftid{T1518}{Software Discovery} | |
\deftid{T1519}{Emond} | |
\deftid{T1522}{Cloud Instance Metadata API} | |
\deftid{T1525}{Implant Internal Image} | |
\deftid{T1526}{Cloud Service Discovery} | |
\deftid{T1527}{Application Access Token} | |
\deftid{T1528}{Steal Application Access Token} | |
\deftid{T1529}{System Shutdown/Reboot} | |
\deftid{T1530}{Data from Cloud Storage Object} | |
\deftid{T1531}{Account Access Removal} | |
\deftid{T1534}{Internal Spearphishing} | |
\deftid{T1535}{Unused/Unsupported Cloud Regions} | |
\deftid{T1536}{Revert Cloud Instance} | |
\deftid{T1537}{Transfer Data to Cloud Account} | |
\deftid{T1538}{Cloud Service Dashboard} | |
\deftid{T1539}{Steal Web Session Cookie} | |
\deftid{T1542.001}{System Firmware} | |
\deftid{T1542.002}{Component Firmware} | |
\deftid{T1542.003}{Bootkit} | |
\deftid{T1542.004}{ROMMONkit} | |
\deftid{T1542.005}{TFTP Boot} | |
\deftid{T1542}{Pre-OS Boot} | |
\deftid{T1543.001}{Launch Agent} | |
\deftid{T1543.002}{Systemd Service} | |
\deftid{T1543.003}{Windows Service} | |
\deftid{T1543.004}{Launch Daemon} | |
\deftid{T1543}{Create or Modify System Process} | |
\deftid{T1546.001}{Change Default File Association} | |
\deftid{T1546.002}{Screensaver} | |
\deftid{T1546.003}{Windows Management Instrumentation Event Subscription} | |
\deftid{T1546.004}{Unix Shell Configuration Modification} | |
\deftid{T1546.005}{Trap} | |
\deftid{T1546.006}{LC_LOAD_DYLIB Addition} | |
\deftid{T1546.007}{Netsh Helper DLL} | |
\deftid{T1546.008}{Accessibility Features} | |
\deftid{T1546.009}{AppCert DLLs} | |
\deftid{T1546.010}{AppInit DLLs} | |
\deftid{T1546.011}{Application Shimming} | |
\deftid{T1546.012}{Image File Execution Options Injection} | |
\deftid{T1546.013}{PowerShell Profile} | |
\deftid{T1546.014}{Emond} | |
\deftid{T1546.015}{Component Object Model Hijacking} | |
\deftid{T1546}{Event Triggered Execution} | |
\deftid{T1547.001}{Registry Run Keys / Startup Folder} | |
\deftid{T1547.002}{Authentication Package} | |
\deftid{T1547.003}{Time Providers} | |
\deftid{T1547.004}{Winlogon Helper DLL} | |
\deftid{T1547.005}{Security Support Provider} | |
\deftid{T1547.006}{Kernel Modules and Extensions} | |
\deftid{T1547.007}{Re-opened Applications} | |
\deftid{T1547.008}{LSASS Driver} | |
\deftid{T1547.009}{Shortcut Modification} | |
\deftid{T1547.010}{Port Monitors} | |
\deftid{T1547.011}{Plist Modification} | |
\deftid{T1547.012}{Print Processors} | |
\deftid{T1547.013}{XDG Autostart Entries} | |
\deftid{T1547.014}{Active Setup} | |
\deftid{T1547.015}{Login Items} | |
\deftid{T1547}{Boot or Logon Autostart Execution} | |
\deftid{T1548.001}{Setuid and Setgid} | |
\deftid{T1548.002}{Bypass User Account Control} | |
\deftid{T1548.003}{Sudo and Sudo Caching} | |
\deftid{T1548.004}{Elevated Execution with Prompt} | |
\deftid{T1548}{Abuse Elevation Control Mechanism} | |
\deftid{T1550.001}{Application Access Token} | |
\deftid{T1550.002}{Pass the Hash} | |
\deftid{T1550.003}{Pass the Ticket} | |
\deftid{T1550.004}{Web Session Cookie} | |
\deftid{T1550}{Use Alternate Authentication Material} | |
\deftid{T1552.001}{Credentials In Files} | |
\deftid{T1552.002}{Credentials in Registry} | |
\deftid{T1552.003}{Bash History} | |
\deftid{T1552.004}{Private Keys} | |
\deftid{T1552.005}{Cloud Instance Metadata API} | |
\deftid{T1552.006}{Group Policy Preferences} | |
\deftid{T1552.007}{Container API} | |
\deftid{T1552}{Unsecured Credentials} | |
\deftid{T1553.001}{Gatekeeper Bypass} | |
\deftid{T1553.002}{Code Signing} | |
\deftid{T1553.003}{SIP and Trust Provider Hijacking} | |
\deftid{T1553.004}{Install Root Certificate} | |
\deftid{T1553.005}{Mark-of-the-Web Bypass} | |
\deftid{T1553.006}{Code Signing Policy Modification} | |
\deftid{T1553}{Subvert Trust Controls} | |
\deftid{T1554}{Compromise Client Software Binary} | |
\deftid{T1555.001}{Keychain} | |
\deftid{T1555.002}{Securityd Memory} | |
\deftid{T1555.003}{Credentials from Web Browsers} | |
\deftid{T1555.004}{Windows Credential Manager} | |
\deftid{T1555.005}{Password Managers} | |
\deftid{T1555}{Credentials from Password Stores} | |
\deftid{T1556.001}{Domain Controller Authentication} | |
\deftid{T1556.002}{Password Filter DLL} | |
\deftid{T1556.003}{Pluggable Authentication Modules} | |
\deftid{T1556.004}{Network Device Authentication} | |
\deftid{T1556}{Modify Authentication Process} | |
\deftid{T1557.001}{LLMNR/NBT-NS Poisoning and SMB Relay} | |
\deftid{T1557.002}{ARP Cache Poisoning} | |
\deftid{T1557}{Adversary-in-the-Middle} | |
\deftid{T1558.001}{Golden Ticket} | |
\deftid{T1558.002}{Silver Ticket} | |
\deftid{T1558.003}{Kerberoasting} | |
\deftid{T1558.004}{AS-REP Roasting} | |
\deftid{T1558}{Steal or Forge Kerberos Tickets} | |
\deftid{T1559.001}{Component Object Model} | |
\deftid{T1559.002}{Dynamic Data Exchange} | |
\deftid{T1559}{Inter-Process Communication} | |
\deftid{T1560.001}{Archive via Utility} | |
\deftid{T1560.002}{Archive via Library} | |
\deftid{T1560.003}{Archive via Custom Method} | |
\deftid{T1560}{Archive Collected Data} | |
\deftid{T1561.001}{Disk Content Wipe} | |
\deftid{T1561.002}{Disk Structure Wipe} | |
\deftid{T1561}{Disk Wipe} | |
\deftid{T1562.001}{Disable or Modify Tools} | |
\deftid{T1562.002}{Disable Windows Event Logging} | |
\deftid{T1562.003}{Impair Command History Logging} | |
\deftid{T1562.004}{Disable or Modify System Firewall} | |
\deftid{T1562.006}{Indicator Blocking} | |
\deftid{T1562.007}{Disable or Modify Cloud Firewall} | |
\deftid{T1562.008}{Disable Cloud Logs} | |
\deftid{T1562.009}{Safe Mode Boot} | |
\deftid{T1562.010}{Downgrade Attack} | |
\deftid{T1562}{Impair Defenses} | |
\deftid{T1563.001}{SSH Hijacking} | |
\deftid{T1563.002}{RDP Hijacking} | |
\deftid{T1563}{Remote Service Session Hijacking} | |
\deftid{T1564.001}{Hidden Files and Directories} | |
\deftid{T1564.002}{Hidden Users} | |
\deftid{T1564.003}{Hidden Window} | |
\deftid{T1564.004}{NTFS File Attributes} | |
\deftid{T1564.005}{Hidden File System} | |
\deftid{T1564.006}{Run Virtual Instance} | |
\deftid{T1564.007}{VBA Stomping} | |
\deftid{T1564.008}{Email Hiding Rules} | |
\deftid{T1564.009}{Resource Forking} | |
\deftid{T1564}{Hide Artifacts} | |
\deftid{T1565.001}{Stored Data Manipulation} | |
\deftid{T1565.002}{Transmitted Data Manipulation} | |
\deftid{T1565.003}{Runtime Data Manipulation} | |
\deftid{T1565}{Data Manipulation} | |
\deftid{T1566.001}{Spearphishing Attachment} | |
\deftid{T1566.002}{Spearphishing Link} | |
\deftid{T1566.003}{Spearphishing via Service} | |
\deftid{T1566}{Phishing} | |
\deftid{T1567.001}{Exfiltration to Code Repository} | |
\deftid{T1567.002}{Exfiltration to Cloud Storage} | |
\deftid{T1567}{Exfiltration Over Web Service} | |
\deftid{T1568.001}{Fast Flux DNS} | |
\deftid{T1568.002}{Domain Generation Algorithms} | |
\deftid{T1568.003}{DNS Calculation} | |
\deftid{T1568}{Dynamic Resolution} | |
\deftid{T1569.001}{Launchctl} | |
\deftid{T1569.002}{Service Execution} | |
\deftid{T1569}{System Services} | |
\deftid{T1570}{Lateral Tool Transfer} | |
\deftid{T1571}{Non-Standard Port} | |
\deftid{T1572}{Protocol Tunneling} | |
\deftid{T1573.001}{Symmetric Cryptography} | |
\deftid{T1573.002}{Asymmetric Cryptography} | |
\deftid{T1573}{Encrypted Channel} | |
\deftid{T1574.001}{DLL Search Order Hijacking} | |
\deftid{T1574.002}{DLL Side-Loading} | |
\deftid{T1574.004}{Dylib Hijacking} | |
\deftid{T1574.005}{Executable Installer File Permissions Weakness} | |
\deftid{T1574.006}{Dynamic Linker Hijacking} | |
\deftid{T1574.007}{Path Interception by PATH Environment Variable} | |
\deftid{T1574.008}{Path Interception by Search Order Hijacking} | |
\deftid{T1574.009}{Path Interception by Unquoted Path} | |
\deftid{T1574.010}{Services File Permissions Weakness} | |
\deftid{T1574.011}{Services Registry Permissions Weakness} | |
\deftid{T1574.012}{COR_PROFILER} | |
\deftid{T1574}{Hijack Execution Flow} | |
\deftid{T1578.001}{Create Snapshot} | |
\deftid{T1578.002}{Create Cloud Instance} | |
\deftid{T1578.003}{Delete Cloud Instance} | |
\deftid{T1578.004}{Revert Cloud Instance} | |
\deftid{T1578}{Modify Cloud Compute Infrastructure} | |
\deftid{T1580}{Cloud Infrastructure Discovery} | |
\deftid{T1583.001}{Domains} | |
\deftid{T1583.002}{DNS Server} | |
\deftid{T1583.003}{Virtual Private Server} | |
\deftid{T1583.004}{Server} | |
\deftid{T1583.005}{Botnet} | |
\deftid{T1583.006}{Web Services} | |
\deftid{T1583}{Acquire Infrastructure} | |
\deftid{T1584.001}{Domains} | |
\deftid{T1584.002}{DNS Server} | |
\deftid{T1584.003}{Virtual Private Server} | |
\deftid{T1584.004}{Server} | |
\deftid{T1584.005}{Botnet} | |
\deftid{T1584.006}{Web Services} | |
\deftid{T1584}{Compromise Infrastructure} | |
\deftid{T1585.001}{Social Media Accounts} | |
\deftid{T1585.002}{Email Accounts} | |
\deftid{T1585}{Establish Accounts} | |
\deftid{T1586.001}{Social Media Accounts} | |
\deftid{T1586.002}{Email Accounts} | |
\deftid{T1586}{Compromise Accounts} | |
\deftid{T1587.001}{Malware} | |
\deftid{T1587.002}{Code Signing Certificates} | |
\deftid{T1587.003}{Digital Certificates} | |
\deftid{T1587.004}{Exploits} | |
\deftid{T1587}{Develop Capabilities} | |
\deftid{T1588.001}{Malware} | |
\deftid{T1588.002}{Tool} | |
\deftid{T1588.003}{Code Signing Certificates} | |
\deftid{T1588.004}{Digital Certificates} | |
\deftid{T1588.005}{Exploits} | |
\deftid{T1588.006}{Vulnerabilities} | |
\deftid{T1588}{Obtain Capabilities} | |
\deftid{T1589.001}{Credentials} | |
\deftid{T1589.002}{Email Addresses} | |
\deftid{T1589.003}{Employee Names} | |
\deftid{T1589}{Gather Victim Identity Information} | |
\deftid{T1590.001}{Domain Properties} | |
\deftid{T1590.002}{DNS} | |
\deftid{T1590.003}{Network Trust Dependencies} | |
\deftid{T1590.004}{Network Topology} | |
\deftid{T1590.005}{IP Addresses} | |
\deftid{T1590.006}{Network Security Appliances} | |
\deftid{T1590}{Gather Victim Network Information} | |
\deftid{T1591.001}{Determine Physical Locations} | |
\deftid{T1591.002}{Business Relationships} | |
\deftid{T1591.003}{Identify Business Tempo} | |
\deftid{T1591.004}{Identify Roles} | |
\deftid{T1591}{Gather Victim Org Information} | |
\deftid{T1592.001}{Hardware} | |
\deftid{T1592.002}{Software} | |
\deftid{T1592.003}{Firmware} | |
\deftid{T1592.004}{Client Configurations} | |
\deftid{T1592}{Gather Victim Host Information} | |
\deftid{T1593.001}{Social Media} | |
\deftid{T1593.002}{Search Engines} | |
\deftid{T1593}{Search Open Websites/Domains} | |
\deftid{T1594}{Search Victim-Owned Websites} | |
\deftid{T1595.001}{Scanning IP Blocks} | |
\deftid{T1595.002}{Vulnerability Scanning} | |
\deftid{T1595}{Active Scanning} | |
\deftid{T1596.001}{DNS/Passive DNS} | |
\deftid{T1596.002}{WHOIS} | |
\deftid{T1596.003}{Digital Certificates} | |
\deftid{T1596.004}{CDNs} | |
\deftid{T1596.005}{Scan Databases} | |
\deftid{T1596}{Search Open Technical Databases} | |
\deftid{T1597.001}{Threat Intel Vendors} | |
\deftid{T1597.002}{Purchase Technical Data} | |
\deftid{T1597}{Search Closed Sources} | |
\deftid{T1598.001}{Spearphishing Service} | |
\deftid{T1598.002}{Spearphishing Attachment} | |
\deftid{T1598.003}{Spearphishing Link} | |
\deftid{T1598}{Phishing for Information} | |
\deftid{T1599.001}{Network Address Translation Traversal} | |
\deftid{T1599}{Network Boundary Bridging} | |
\deftid{T1600.001}{Reduce Key Space} | |
\deftid{T1600.002}{Disable Crypto Hardware} | |
\deftid{T1600}{Weaken Encryption} | |
\deftid{T1601.001}{Patch System Image} | |
\deftid{T1601.002}{Downgrade System Image} | |
\deftid{T1601}{Modify System Image} | |
\deftid{T1602.001}{SNMP (MIB Dump)} | |
\deftid{T1602.002}{Network Device Configuration Dump} | |
\deftid{T1602}{Data from Configuration Repository} | |
\deftid{T1606.001}{Web Cookies} | |
\deftid{T1606.002}{SAML Tokens} | |
\deftid{T1606}{Forge Web Credentials} | |
\deftid{T1608.001}{Upload Malware} | |
\deftid{T1608.002}{Upload Tool} | |
\deftid{T1608.003}{Install Digital Certificate} | |
\deftid{T1608.004}{Drive-by Target} | |
\deftid{T1608.005}{Link Target} | |
\deftid{T1608}{Stage Capabilities} | |
\deftid{T1609}{Container Administration Command} | |
\deftid{T1610}{Deploy Container} | |
\deftid{T1611}{Escape to Host} | |
\deftid{T1612}{Build Image on Host} | |
\deftid{T1613}{Container and Resource Discovery} | |
\deftid{T1614.001}{System Language Discovery} | |
\deftid{T1614}{System Location Discovery} | |
\deftid{T1615}{Group Policy Discovery} | |
\deftid{T1619}{Cloud Storage Object Discovery} | |
\deftid{T1620}{Reflective Code Loading} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
\documentclass{article} | |
\usepackage[utf8]{inputenc} | |
\input{mitre_attack} | |
\title{Demonstration} | |
\author{@Wietze} | |
\begin{document} | |
\maketitle | |
The MITRE ATT\&CK sub-technique \texttid{T1059.001} is part of technique \tidtext{T1059}. Due to \tid{T1059.001} being a rather broad attacker technique, it is one of the most popular ones. | |
\end{document} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment