wietze/mitre_attack.tex

## mitre_attack.tex
\usepackage{hyperref}
\usepackage{xstring}

\DeclareRobustCommand{\tid}[1]{\StrSubstitute{#1}{.}{/}[\temp]%
\href{https://attack.mitre.org/techniques/\temp/}{#1}}
% \tid{T1234} returns 'T1234' with a hyperlink to its MITRE ATT&CK page

\DeclareRobustCommand{\tidtext}[1]{\StrSubstitute{#1}{.}{/}[\temp]%
\href{https://attack.mitre.org/techniques/\temp/}{#1}: \gettid{#1}}
% \tidtext{T1234} returns 'T1234: Technique Name' with T1234 containing a hyperlink to its MITRE ATT&CK page

\DeclareRobustCommand{\texttid}[1]{\StrSubstitute{#1}{.}{/}[\temp]%
\gettid{#1} (\href{https://attack.mitre.org/techniques/\temp/}{#1})}
% \texttid{T1234} returns 'Technique Name (T1234)' with T1234 containing a hyperlink to its MITRE ATT&CK page

\makeatletter
\newcommand\deftid[1]{\@namedef{tid_#1}}
\newcommand\gettid[1]{\@nameuse{tid_#1}}
\makeatother


\deftid{T1001.001}{Junk Data}
\deftid{T1001.002}{Steganography}
\deftid{T1001.003}{Protocol Impersonation}
\deftid{T1001}{Data Obfuscation}
\deftid{T1002}{Data Compressed}
\deftid{T1003.001}{LSASS Memory}
\deftid{T1003.002}{Security Account Manager}
\deftid{T1003.003}{NTDS}
\deftid{T1003.004}{LSA Secrets}
\deftid{T1003.005}{Cached Domain Credentials}
\deftid{T1003.006}{DCSync}
\deftid{T1003.007}{Proc Filesystem}
\deftid{T1003.008}{/etc/passwd and /etc/shadow}
\deftid{T1003}{OS Credential Dumping}
\deftid{T1004}{Winlogon Helper DLL}
\deftid{T1005}{Data from Local System}
\deftid{T1006}{Direct Volume Access}
\deftid{T1007}{System Service Discovery}
\deftid{T1008}{Fallback Channels}
\deftid{T1009}{Binary Padding}
\deftid{T1010}{Application Window Discovery}
\deftid{T1011.001}{Exfiltration Over Bluetooth}
\deftid{T1011}{Exfiltration Over Other Network Medium}
\deftid{T1012}{Query Registry}
\deftid{T1013}{Port Monitors}
\deftid{T1014}{Rootkit}
\deftid{T1015}{Accessibility Features}
\deftid{T1016.001}{Internet Connection Discovery}
\deftid{T1016}{System Network Configuration Discovery}
\deftid{T1017}{Application Deployment Software}
\deftid{T1018}{Remote System Discovery}
\deftid{T1019}{System Firmware}
\deftid{T1020.001}{Traffic Duplication}
\deftid{T1020}{Automated Exfiltration}
\deftid{T1021.001}{Remote Desktop Protocol}
\deftid{T1021.002}{SMB/Windows Admin Shares}
\deftid{T1021.003}{Distributed Component Object Model}
\deftid{T1021.004}{SSH}
\deftid{T1021.005}{VNC}
\deftid{T1021.006}{Windows Remote Management}
\deftid{T1021}{Remote Services}
\deftid{T1022}{Data Encrypted}
\deftid{T1023}{Shortcut Modification}
\deftid{T1024}{Custom Cryptographic Protocol}
\deftid{T1025}{Data from Removable Media}
\deftid{T1026}{Multiband Communication}
\deftid{T1027.001}{Binary Padding}
\deftid{T1027.002}{Software Packing}
\deftid{T1027.003}{Steganography}
\deftid{T1027.004}{Compile After Delivery}
\deftid{T1027.005}{Indicator Removal from Tools}
\deftid{T1027.006}{HTML Smuggling}
\deftid{T1027}{Obfuscated Files or Information}
\deftid{T1028}{Windows Remote Management}
\deftid{T1029}{Scheduled Transfer}
\deftid{T1030}{Data Transfer Size Limits}
\deftid{T1031}{Modify Existing Service}
\deftid{T1032}{Standard Cryptographic Protocol}
\deftid{T1033}{System Owner/User Discovery}
\deftid{T1034}{Path Interception}
\deftid{T1035}{Service Execution}
\deftid{T1036.001}{Invalid Code Signature}
\deftid{T1036.002}{Right-to-Left Override}
\deftid{T1036.003}{Rename System Utilities}
\deftid{T1036.004}{Masquerade Task or Service}
\deftid{T1036.005}{Match Legitimate Name or Location}
\deftid{T1036.006}{Space after Filename}
\deftid{T1036.007}{Double File Extension}
\deftid{T1036}{Masquerading}
\deftid{T1037.001}{Logon Script (Windows)}
\deftid{T1037.002}{Logon Script (Mac)}
\deftid{T1037.003}{Network Logon Script}
\deftid{T1037.004}{RC Scripts}
\deftid{T1037.005}{Startup Items}
\deftid{T1037}{Boot or Logon Initialization Scripts}
\deftid{T1038}{DLL Search Order Hijacking}
\deftid{T1039}{Data from Network Shared Drive}
\deftid{T1040}{Network Sniffing}
\deftid{T1041}{Exfiltration Over C2 Channel}
\deftid{T1042}{Change Default File Association}
\deftid{T1043}{Commonly Used Port}
\deftid{T1044}{File System Permissions Weakness}
\deftid{T1045}{Software Packing}
\deftid{T1046}{Network Service Scanning}
\deftid{T1047}{Windows Management Instrumentation}
\deftid{T1048.001}{Exfiltration Over Symmetric Encrypted Non-C2 Protocol}
\deftid{T1048.002}{Exfiltration Over Asymmetric Encrypted Non-C2 Protocol}
\deftid{T1048.003}{Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol}
\deftid{T1048}{Exfiltration Over Alternative Protocol}
\deftid{T1049}{System Network Connections Discovery}
\deftid{T1050}{New Service}
\deftid{T1051}{Shared Webroot}
\deftid{T1052.001}{Exfiltration over USB}
\deftid{T1052}{Exfiltration Over Physical Medium}
\deftid{T1053.001}{At (Linux)}
\deftid{T1053.002}{At (Windows)}
\deftid{T1053.003}{Cron}
\deftid{T1053.004}{Launchd}
\deftid{T1053.005}{Scheduled Task}
\deftid{T1053.006}{Systemd Timers}
\deftid{T1053.007}{Container Orchestration Job}
\deftid{T1053}{Scheduled Task/Job}
\deftid{T1054}{Indicator Blocking}
\deftid{T1055.001}{Dynamic-link Library Injection}
\deftid{T1055.002}{Portable Executable Injection}
\deftid{T1055.003}{Thread Execution Hijacking}
\deftid{T1055.004}{Asynchronous Procedure Call}
\deftid{T1055.005}{Thread Local Storage}
\deftid{T1055.008}{Ptrace System Calls}
\deftid{T1055.009}{Proc Memory}
\deftid{T1055.011}{Extra Window Memory Injection}
\deftid{T1055.012}{Process Hollowing}
\deftid{T1055.013}{Process Doppelgänging}
\deftid{T1055.014}{VDSO Hijacking}
\deftid{T1055}{Process Injection}
\deftid{T1056.001}{Keylogging}
\deftid{T1056.002}{GUI Input Capture}
\deftid{T1056.003}{Web Portal Capture}
\deftid{T1056.004}{Credential API Hooking}
\deftid{T1056}{Input Capture}
\deftid{T1057}{Process Discovery}
\deftid{T1058}{Service Registry Permissions Weakness}
\deftid{T1059.001}{PowerShell}
\deftid{T1059.002}{AppleScript}
\deftid{T1059.003}{Windows Command Shell}
\deftid{T1059.004}{Unix Shell}
\deftid{T1059.005}{Visual Basic}
\deftid{T1059.006}{Python}
\deftid{T1059.007}{JavaScript}
\deftid{T1059.008}{Network Device CLI}
\deftid{T1059}{Command and Scripting Interpreter}
\deftid{T1060}{Registry Run Keys / Startup Folder}
\deftid{T1061}{Graphical User Interface}
\deftid{T1062}{Hypervisor}
\deftid{T1063}{Security Software Discovery}
\deftid{T1064}{Scripting}
\deftid{T1065}{Uncommonly Used Port}
\deftid{T1066}{Indicator Removal from Tools}
\deftid{T1067}{Bootkit}
\deftid{T1068}{Exploitation for Privilege Escalation}
\deftid{T1069.001}{Local Groups}
\deftid{T1069.002}{Domain Groups}
\deftid{T1069.003}{Cloud Groups}
\deftid{T1069}{Permission Groups Discovery}
\deftid{T1070.001}{Clear Windows Event Logs}
\deftid{T1070.002}{Clear Linux or Mac System Logs}
\deftid{T1070.003}{Clear Command History}
\deftid{T1070.004}{File Deletion}
\deftid{T1070.005}{Network Share Connection Removal}
\deftid{T1070.006}{Timestomp}
\deftid{T1070}{Indicator Removal on Host}
\deftid{T1071.001}{Web Protocols}
\deftid{T1071.002}{File Transfer Protocols}
\deftid{T1071.003}{Mail Protocols}
\deftid{T1071.004}{DNS}
\deftid{T1071}{Application Layer Protocol}
\deftid{T1072}{Software Deployment Tools}
\deftid{T1073}{DLL Side-Loading}
\deftid{T1074.001}{Local Data Staging}
\deftid{T1074.002}{Remote Data Staging}
\deftid{T1074}{Data Staged}
\deftid{T1075}{Pass the Hash}
\deftid{T1076}{Remote Desktop Protocol}
\deftid{T1077}{Windows Admin Shares}
\deftid{T1078.001}{Default Accounts}
\deftid{T1078.002}{Domain Accounts}
\deftid{T1078.003}{Local Accounts}
\deftid{T1078.004}{Cloud Accounts}
\deftid{T1078}{Valid Accounts}
\deftid{T1079}{Multilayer Encryption}
\deftid{T1080}{Taint Shared Content}
\deftid{T1081}{Credentials in Files}
\deftid{T1082}{System Information Discovery}
\deftid{T1083}{File and Directory Discovery}
\deftid{T1084}{Windows Management Instrumentation Event Subscription}
\deftid{T1085}{Rundll32}
\deftid{T1086}{PowerShell}
\deftid{T1087.001}{Local Account}
\deftid{T1087.002}{Domain Account}
\deftid{T1087.003}{Email Account}
\deftid{T1087.004}{Cloud Account}
\deftid{T1087}{Account Discovery}
\deftid{T1088}{Bypass User Account Control}
\deftid{T1089}{Disabling Security Tools}
\deftid{T1090.001}{Internal Proxy}
\deftid{T1090.002}{External Proxy}
\deftid{T1090.003}{Multi-hop Proxy}
\deftid{T1090.004}{Domain Fronting}
\deftid{T1090}{Proxy}
\deftid{T1091}{Replication Through Removable Media}
\deftid{T1092}{Communication Through Removable Media}
\deftid{T1093}{Process Hollowing}
\deftid{T1094}{Custom Command and Control Protocol}
\deftid{T1095}{Non-Application Layer Protocol}
\deftid{T1096}{NTFS File Attributes}
\deftid{T1097}{Pass the Ticket}
\deftid{T1098.001}{Additional Cloud Credentials}
\deftid{T1098.002}{Exchange Email Delegate Permissions}
\deftid{T1098.003}{Add Office 365 Global Administrator Role}
\deftid{T1098.004}{SSH Authorized Keys}
\deftid{T1098}{Account Manipulation}
\deftid{T1099}{Timestomp}
\deftid{T1100}{Web Shell}
\deftid{T1101}{Security Support Provider}
\deftid{T1102.001}{Dead Drop Resolver}
\deftid{T1102.002}{Bidirectional Communication}
\deftid{T1102.003}{One-Way Communication}
\deftid{T1102}{Web Service}
\deftid{T1103}{AppInit DLLs}
\deftid{T1104}{Multi-Stage Channels}
\deftid{T1105}{Ingress Tool Transfer}
\deftid{T1106}{Native API}
\deftid{T1107}{File Deletion}
\deftid{T1108}{Redundant Access}
\deftid{T1109}{Component Firmware}
\deftid{T1110.001}{Password Guessing}
\deftid{T1110.002}{Password Cracking}
\deftid{T1110.003}{Password Spraying}
\deftid{T1110.004}{Credential Stuffing}
\deftid{T1110}{Brute Force}
\deftid{T1111}{Two-Factor Authentication Interception}
\deftid{T1112}{Modify Registry}
\deftid{T1113}{Screen Capture}
\deftid{T1114.001}{Local Email Collection}
\deftid{T1114.002}{Remote Email Collection}
\deftid{T1114.003}{Email Forwarding Rule}
\deftid{T1114}{Email Collection}
\deftid{T1115}{Clipboard Data}
\deftid{T1116}{Code Signing}
\deftid{T1117}{Regsvr32}
\deftid{T1118}{InstallUtil}
\deftid{T1119}{Automated Collection}
\deftid{T1120}{Peripheral Device Discovery}
\deftid{T1121}{Regsvcs/Regasm}
\deftid{T1122}{Component Object Model Hijacking}
\deftid{T1123}{Audio Capture}
\deftid{T1124}{System Time Discovery}
\deftid{T1125}{Video Capture}
\deftid{T1126}{Network Share Connection Removal}
\deftid{T1127.001}{MSBuild}
\deftid{T1127}{Trusted Developer Utilities Proxy Execution}
\deftid{T1128}{Netsh Helper DLL}
\deftid{T1129}{Shared Modules}
\deftid{T1130}{Install Root Certificate}
\deftid{T1131}{Authentication Package}
\deftid{T1132.001}{Standard Encoding}
\deftid{T1132.002}{Non-Standard Encoding}
\deftid{T1132}{Data Encoding}
\deftid{T1133}{External Remote Services}
\deftid{T1134.001}{Token Impersonation/Theft}
\deftid{T1134.002}{Create Process with Token}
\deftid{T1134.003}{Make and Impersonate Token}
\deftid{T1134.004}{Parent PID Spoofing}
\deftid{T1134.005}{SID-History Injection}
\deftid{T1134}{Access Token Manipulation}
\deftid{T1135}{Network Share Discovery}
\deftid{T1136.001}{Local Account}
\deftid{T1136.002}{Domain Account}
\deftid{T1136.003}{Cloud Account}
\deftid{T1136}{Create Account}
\deftid{T1137.001}{Office Template Macros}
\deftid{T1137.002}{Office Test}
\deftid{T1137.003}{Outlook Forms}
\deftid{T1137.004}{Outlook Home Page}
\deftid{T1137.005}{Outlook Rules}
\deftid{T1137.006}{Add-ins}
\deftid{T1137}{Office Application Startup}
\deftid{T1138}{Application Shimming}
\deftid{T1139}{Bash History}
\deftid{T1140}{Deobfuscate/Decode Files or Information}
\deftid{T1141}{Input Prompt}
\deftid{T1142}{Keychain}
\deftid{T1143}{Hidden Window}
\deftid{T1144}{Gatekeeper Bypass}
\deftid{T1145}{Private Keys}
\deftid{T1146}{Clear Command History}
\deftid{T1147}{Hidden Users}
\deftid{T1148}{HISTCONTROL}
\deftid{T1149}{LC_MAIN Hijacking}
\deftid{T1150}{Plist Modification}
\deftid{T1151}{Space after Filename}
\deftid{T1152}{Launchctl}
\deftid{T1153}{Source}
\deftid{T1154}{Trap}
\deftid{T1155}{AppleScript}
\deftid{T1156}{Malicious Shell Modification}
\deftid{T1157}{Dylib Hijacking}
\deftid{T1158}{Hidden Files and Directories}
\deftid{T1159}{Launch Agent}
\deftid{T1160}{Launch Daemon}
\deftid{T1161}{LC_LOAD_DYLIB Addition}
\deftid{T1162}{Login Item}
\deftid{T1163}{Rc.common}
\deftid{T1164}{Re-opened Applications}
\deftid{T1165}{Startup Items}
\deftid{T1166}{Setuid and Setgid}
\deftid{T1167}{Securityd Memory}
\deftid{T1168}{Local Job Scheduling}
\deftid{T1169}{Sudo}
\deftid{T1170}{Mshta}
\deftid{T1171}{LLMNR/NBT-NS Poisoning and Relay}
\deftid{T1172}{Domain Fronting}
\deftid{T1173}{Dynamic Data Exchange}
\deftid{T1174}{Password Filter DLL}
\deftid{T1175}{Component Object Model and Distributed COM}
\deftid{T1176}{Browser Extensions}
\deftid{T1177}{LSASS Driver}
\deftid{T1178}{SID-History Injection}
\deftid{T1179}{Hooking}
\deftid{T1180}{Screensaver}
\deftid{T1181}{Extra Window Memory Injection}
\deftid{T1182}{AppCert DLLs}
\deftid{T1183}{Image File Execution Options Injection}
\deftid{T1184}{SSH Hijacking}
\deftid{T1185}{Browser Session Hijacking}
\deftid{T1186}{Process Doppelgänging}
\deftid{T1187}{Forced Authentication}
\deftid{T1188}{Multi-hop Proxy}
\deftid{T1189}{Drive-by Compromise}
\deftid{T1190}{Exploit Public-Facing Application}
\deftid{T1191}{CMSTP}
\deftid{T1192}{Spearphishing Link}
\deftid{T1193}{Spearphishing Attachment}
\deftid{T1194}{Spearphishing via Service}
\deftid{T1195.001}{Compromise Software Dependencies and Development Tools}
\deftid{T1195.002}{Compromise Software Supply Chain}
\deftid{T1195.003}{Compromise Hardware Supply Chain}
\deftid{T1195}{Supply Chain Compromise}
\deftid{T1196}{Control Panel Items}
\deftid{T1197}{BITS Jobs}
\deftid{T1198}{SIP and Trust Provider Hijacking}
\deftid{T1199}{Trusted Relationship}
\deftid{T1200}{Hardware Additions}
\deftid{T1201}{Password Policy Discovery}
\deftid{T1202}{Indirect Command Execution}
\deftid{T1203}{Exploitation for Client Execution}
\deftid{T1204.001}{Malicious Link}
\deftid{T1204.002}{Malicious File}
\deftid{T1204.003}{Malicious Image}
\deftid{T1204}{User Execution}
\deftid{T1205.001}{Port Knocking}
\deftid{T1205}{Traffic Signaling}
\deftid{T1206}{Sudo Caching}
\deftid{T1207}{Rogue Domain Controller}
\deftid{T1208}{Kerberoasting}
\deftid{T1209}{Time Providers}
\deftid{T1210}{Exploitation of Remote Services}
\deftid{T1211}{Exploitation for Defense Evasion}
\deftid{T1212}{Exploitation for Credential Access}
\deftid{T1213.001}{Confluence}
\deftid{T1213.002}{Sharepoint}
\deftid{T1213.003}{Code Repositories}
\deftid{T1213}{Data from Information Repositories}
\deftid{T1214}{Credentials in Registry}
\deftid{T1215}{Kernel Modules and Extensions}
\deftid{T1216.001}{PubPrn}
\deftid{T1216}{Signed Script Proxy Execution}
\deftid{T1217}{Browser Bookmark Discovery}
\deftid{T1218.001}{Compiled HTML File}
\deftid{T1218.002}{Control Panel}
\deftid{T1218.003}{CMSTP}
\deftid{T1218.004}{InstallUtil}
\deftid{T1218.005}{Mshta}
\deftid{T1218.007}{Msiexec}
\deftid{T1218.008}{Odbcconf}
\deftid{T1218.009}{Regsvcs/Regasm}
\deftid{T1218.010}{Regsvr32}
\deftid{T1218.011}{Rundll32}
\deftid{T1218.012}{Verclsid}
\deftid{T1218.013}{Mavinject}
\deftid{T1218.014}{MMC}
\deftid{T1218}{Signed Binary Proxy Execution}
\deftid{T1219}{Remote Access Software}
\deftid{T1220}{XSL Script Processing}
\deftid{T1221}{Template Injection}
\deftid{T1222.001}{Windows File and Directory Permissions Modification}
\deftid{T1222.002}{Linux and Mac File and Directory Permissions Modification}
\deftid{T1222}{File and Directory Permissions Modification}
\deftid{T1223}{Compiled HTML File}
\deftid{T1480.001}{Environmental Keying}
\deftid{T1480}{Execution Guardrails}
\deftid{T1482}{Domain Trust Discovery}
\deftid{T1483}{Domain Generation Algorithms}
\deftid{T1484.001}{Group Policy Modification}
\deftid{T1484.002}{Domain Trust Modification}
\deftid{T1484}{Domain Policy Modification}
\deftid{T1485}{Data Destruction}
\deftid{T1486}{Data Encrypted for Impact}
\deftid{T1487}{Disk Structure Wipe}
\deftid{T1488}{Disk Content Wipe}
\deftid{T1489}{Service Stop}
\deftid{T1490}{Inhibit System Recovery}
\deftid{T1491.001}{Internal Defacement}
\deftid{T1491.002}{External Defacement}
\deftid{T1491}{Defacement}
\deftid{T1492}{Stored Data Manipulation}
\deftid{T1493}{Transmitted Data Manipulation}
\deftid{T1494}{Runtime Data Manipulation}
\deftid{T1495}{Firmware Corruption}
\deftid{T1496}{Resource Hijacking}
\deftid{T1497.001}{System Checks}
\deftid{T1497.002}{User Activity Based Checks}
\deftid{T1497.003}{Time Based Evasion}
\deftid{T1497}{Virtualization/Sandbox Evasion}
\deftid{T1498.001}{Direct Network Flood}
\deftid{T1498.002}{Reflection Amplification}
\deftid{T1498}{Network Denial of Service}
\deftid{T1499.001}{OS Exhaustion Flood}
\deftid{T1499.002}{Service Exhaustion Flood}
\deftid{T1499.003}{Application Exhaustion Flood}
\deftid{T1499.004}{Application or System Exploitation}
\deftid{T1499}{Endpoint Denial of Service}
\deftid{T1500}{Compile After Delivery}
\deftid{T1501}{Systemd Service}
\deftid{T1502}{Parent PID Spoofing}
\deftid{T1503}{Credentials from Web Browsers}
\deftid{T1504}{PowerShell Profile}
\deftid{T1505.001}{SQL Stored Procedures}
\deftid{T1505.002}{Transport Agent}
\deftid{T1505.003}{Web Shell}
\deftid{T1505.004}{IIS Components}
\deftid{T1505}{Server Software Component}
\deftid{T1506}{Web Session Cookie}
\deftid{T1514}{Elevated Execution with Prompt}
\deftid{T1518.001}{Security Software Discovery}
\deftid{T1518}{Software Discovery}
\deftid{T1519}{Emond}
\deftid{T1522}{Cloud Instance Metadata API}
\deftid{T1525}{Implant Internal Image}
\deftid{T1526}{Cloud Service Discovery}
\deftid{T1527}{Application Access Token}
\deftid{T1528}{Steal Application Access Token}
\deftid{T1529}{System Shutdown/Reboot}
\deftid{T1530}{Data from Cloud Storage Object}
\deftid{T1531}{Account Access Removal}
\deftid{T1534}{Internal Spearphishing}
\deftid{T1535}{Unused/Unsupported Cloud Regions}
\deftid{T1536}{Revert Cloud Instance}
\deftid{T1537}{Transfer Data to Cloud Account}
\deftid{T1538}{Cloud Service Dashboard}
\deftid{T1539}{Steal Web Session Cookie}
\deftid{T1542.001}{System Firmware}
\deftid{T1542.002}{Component Firmware}
\deftid{T1542.003}{Bootkit}
\deftid{T1542.004}{ROMMONkit}
\deftid{T1542.005}{TFTP Boot}
\deftid{T1542}{Pre-OS Boot}
\deftid{T1543.001}{Launch Agent}
\deftid{T1543.002}{Systemd Service}
\deftid{T1543.003}{Windows Service}
\deftid{T1543.004}{Launch Daemon}
\deftid{T1543}{Create or Modify System Process}
\deftid{T1546.001}{Change Default File Association}
\deftid{T1546.002}{Screensaver}
\deftid{T1546.003}{Windows Management Instrumentation Event Subscription}
\deftid{T1546.004}{Unix Shell Configuration Modification}
\deftid{T1546.005}{Trap}
\deftid{T1546.006}{LC_LOAD_DYLIB Addition}
\deftid{T1546.007}{Netsh Helper DLL}
\deftid{T1546.008}{Accessibility Features}
\deftid{T1546.009}{AppCert DLLs}
\deftid{T1546.010}{AppInit DLLs}
\deftid{T1546.011}{Application Shimming}
\deftid{T1546.012}{Image File Execution Options Injection}
\deftid{T1546.013}{PowerShell Profile}
\deftid{T1546.014}{Emond}
\deftid{T1546.015}{Component Object Model Hijacking}
\deftid{T1546}{Event Triggered Execution}
\deftid{T1547.001}{Registry Run Keys / Startup Folder}
\deftid{T1547.002}{Authentication Package}
\deftid{T1547.003}{Time Providers}
\deftid{T1547.004}{Winlogon Helper DLL}
\deftid{T1547.005}{Security Support Provider}
\deftid{T1547.006}{Kernel Modules and Extensions}
\deftid{T1547.007}{Re-opened Applications}
\deftid{T1547.008}{LSASS Driver}
\deftid{T1547.009}{Shortcut Modification}
\deftid{T1547.010}{Port Monitors}
\deftid{T1547.011}{Plist Modification}
\deftid{T1547.012}{Print Processors}
\deftid{T1547.013}{XDG Autostart Entries}
\deftid{T1547.014}{Active Setup}
\deftid{T1547.015}{Login Items}
\deftid{T1547}{Boot or Logon Autostart Execution}
\deftid{T1548.001}{Setuid and Setgid}
\deftid{T1548.002}{Bypass User Account Control}
\deftid{T1548.003}{Sudo and Sudo Caching}
\deftid{T1548.004}{Elevated Execution with Prompt}
\deftid{T1548}{Abuse Elevation Control Mechanism}
\deftid{T1550.001}{Application Access Token}
\deftid{T1550.002}{Pass the Hash}
\deftid{T1550.003}{Pass the Ticket}
\deftid{T1550.004}{Web Session Cookie}
\deftid{T1550}{Use Alternate Authentication Material}
\deftid{T1552.001}{Credentials In Files}
\deftid{T1552.002}{Credentials in Registry}
\deftid{T1552.003}{Bash History}
\deftid{T1552.004}{Private Keys}
\deftid{T1552.005}{Cloud Instance Metadata API}
\deftid{T1552.006}{Group Policy Preferences}
\deftid{T1552.007}{Container API}
\deftid{T1552}{Unsecured Credentials}
\deftid{T1553.001}{Gatekeeper Bypass}
\deftid{T1553.002}{Code Signing}
\deftid{T1553.003}{SIP and Trust Provider Hijacking}
\deftid{T1553.004}{Install Root Certificate}
\deftid{T1553.005}{Mark-of-the-Web Bypass}
\deftid{T1553.006}{Code Signing Policy Modification}
\deftid{T1553}{Subvert Trust Controls}
\deftid{T1554}{Compromise Client Software Binary}
\deftid{T1555.001}{Keychain}
\deftid{T1555.002}{Securityd Memory}
\deftid{T1555.003}{Credentials from Web Browsers}
\deftid{T1555.004}{Windows Credential Manager}
\deftid{T1555.005}{Password Managers}
\deftid{T1555}{Credentials from Password Stores}
\deftid{T1556.001}{Domain Controller Authentication}
\deftid{T1556.002}{Password Filter DLL}
\deftid{T1556.003}{Pluggable Authentication Modules}
\deftid{T1556.004}{Network Device Authentication}
\deftid{T1556}{Modify Authentication Process}
\deftid{T1557.001}{LLMNR/NBT-NS Poisoning and SMB Relay}
\deftid{T1557.002}{ARP Cache Poisoning}
\deftid{T1557}{Adversary-in-the-Middle}
\deftid{T1558.001}{Golden Ticket}
\deftid{T1558.002}{Silver Ticket}
\deftid{T1558.003}{Kerberoasting}
\deftid{T1558.004}{AS-REP Roasting}
\deftid{T1558}{Steal or Forge Kerberos Tickets}
\deftid{T1559.001}{Component Object Model}
\deftid{T1559.002}{Dynamic Data Exchange}
\deftid{T1559}{Inter-Process Communication}
\deftid{T1560.001}{Archive via Utility}
\deftid{T1560.002}{Archive via Library}
\deftid{T1560.003}{Archive via Custom Method}
\deftid{T1560}{Archive Collected Data}
\deftid{T1561.001}{Disk Content Wipe}
\deftid{T1561.002}{Disk Structure Wipe}
\deftid{T1561}{Disk Wipe}
\deftid{T1562.001}{Disable or Modify Tools}
\deftid{T1562.002}{Disable Windows Event Logging}
\deftid{T1562.003}{Impair Command History Logging}
\deftid{T1562.004}{Disable or Modify System Firewall}
\deftid{T1562.006}{Indicator Blocking}
\deftid{T1562.007}{Disable or Modify Cloud Firewall}
\deftid{T1562.008}{Disable Cloud Logs}
\deftid{T1562.009}{Safe Mode Boot}
\deftid{T1562.010}{Downgrade Attack}
\deftid{T1562}{Impair Defenses}
\deftid{T1563.001}{SSH Hijacking}
\deftid{T1563.002}{RDP Hijacking}
\deftid{T1563}{Remote Service Session Hijacking}
\deftid{T1564.001}{Hidden Files and Directories}
\deftid{T1564.002}{Hidden Users}
\deftid{T1564.003}{Hidden Window}
\deftid{T1564.004}{NTFS File Attributes}
\deftid{T1564.005}{Hidden File System}
\deftid{T1564.006}{Run Virtual Instance}
\deftid{T1564.007}{VBA Stomping}
\deftid{T1564.008}{Email Hiding Rules}
\deftid{T1564.009}{Resource Forking}
\deftid{T1564}{Hide Artifacts}
\deftid{T1565.001}{Stored Data Manipulation}
\deftid{T1565.002}{Transmitted Data Manipulation}
\deftid{T1565.003}{Runtime Data Manipulation}
\deftid{T1565}{Data Manipulation}
\deftid{T1566.001}{Spearphishing Attachment}
\deftid{T1566.002}{Spearphishing Link}
\deftid{T1566.003}{Spearphishing via Service}
\deftid{T1566}{Phishing}
\deftid{T1567.001}{Exfiltration to Code Repository}
\deftid{T1567.002}{Exfiltration to Cloud Storage}
\deftid{T1567}{Exfiltration Over Web Service}
\deftid{T1568.001}{Fast Flux DNS}
\deftid{T1568.002}{Domain Generation Algorithms}
\deftid{T1568.003}{DNS Calculation}
\deftid{T1568}{Dynamic Resolution}
\deftid{T1569.001}{Launchctl}
\deftid{T1569.002}{Service Execution}
\deftid{T1569}{System Services}
\deftid{T1570}{Lateral Tool Transfer}
\deftid{T1571}{Non-Standard Port}
\deftid{T1572}{Protocol Tunneling}
\deftid{T1573.001}{Symmetric Cryptography}
\deftid{T1573.002}{Asymmetric Cryptography}
\deftid{T1573}{Encrypted Channel}
\deftid{T1574.001}{DLL Search Order Hijacking}
\deftid{T1574.002}{DLL Side-Loading}
\deftid{T1574.004}{Dylib Hijacking}
\deftid{T1574.005}{Executable Installer File Permissions Weakness}
\deftid{T1574.006}{Dynamic Linker Hijacking}
\deftid{T1574.007}{Path Interception by PATH Environment Variable}
\deftid{T1574.008}{Path Interception by Search Order Hijacking}
\deftid{T1574.009}{Path Interception by Unquoted Path}
\deftid{T1574.010}{Services File Permissions Weakness}
\deftid{T1574.011}{Services Registry Permissions Weakness}
\deftid{T1574.012}{COR_PROFILER}
\deftid{T1574}{Hijack Execution Flow}
\deftid{T1578.001}{Create Snapshot}
\deftid{T1578.002}{Create Cloud Instance}
\deftid{T1578.003}{Delete Cloud Instance}
\deftid{T1578.004}{Revert Cloud Instance}
\deftid{T1578}{Modify Cloud Compute Infrastructure}
\deftid{T1580}{Cloud Infrastructure Discovery}
\deftid{T1583.001}{Domains}
\deftid{T1583.002}{DNS Server}
\deftid{T1583.003}{Virtual Private Server}
\deftid{T1583.004}{Server}
\deftid{T1583.005}{Botnet}
\deftid{T1583.006}{Web Services}
\deftid{T1583}{Acquire Infrastructure}
\deftid{T1584.001}{Domains}
\deftid{T1584.002}{DNS Server}
\deftid{T1584.003}{Virtual Private Server}
\deftid{T1584.004}{Server}
\deftid{T1584.005}{Botnet}
\deftid{T1584.006}{Web Services}
\deftid{T1584}{Compromise Infrastructure}
\deftid{T1585.001}{Social Media Accounts}
\deftid{T1585.002}{Email Accounts}
\deftid{T1585}{Establish Accounts}
\deftid{T1586.001}{Social Media Accounts}
\deftid{T1586.002}{Email Accounts}
\deftid{T1586}{Compromise Accounts}
\deftid{T1587.001}{Malware}
\deftid{T1587.002}{Code Signing Certificates}
\deftid{T1587.003}{Digital Certificates}
\deftid{T1587.004}{Exploits}
\deftid{T1587}{Develop Capabilities}
\deftid{T1588.001}{Malware}
\deftid{T1588.002}{Tool}
\deftid{T1588.003}{Code Signing Certificates}
\deftid{T1588.004}{Digital Certificates}
\deftid{T1588.005}{Exploits}
\deftid{T1588.006}{Vulnerabilities}
\deftid{T1588}{Obtain Capabilities}
\deftid{T1589.001}{Credentials}
\deftid{T1589.002}{Email Addresses}
\deftid{T1589.003}{Employee Names}
\deftid{T1589}{Gather Victim Identity Information}
\deftid{T1590.001}{Domain Properties}
\deftid{T1590.002}{DNS}
\deftid{T1590.003}{Network Trust Dependencies}
\deftid{T1590.004}{Network Topology}
\deftid{T1590.005}{IP Addresses}
\deftid{T1590.006}{Network Security Appliances}
\deftid{T1590}{Gather Victim Network Information}
\deftid{T1591.001}{Determine Physical Locations}
\deftid{T1591.002}{Business Relationships}
\deftid{T1591.003}{Identify Business Tempo}
\deftid{T1591.004}{Identify Roles}
\deftid{T1591}{Gather Victim Org Information}
\deftid{T1592.001}{Hardware}
\deftid{T1592.002}{Software}
\deftid{T1592.003}{Firmware}
\deftid{T1592.004}{Client Configurations}
\deftid{T1592}{Gather Victim Host Information}
\deftid{T1593.001}{Social Media}
\deftid{T1593.002}{Search Engines}
\deftid{T1593}{Search Open Websites/Domains}
\deftid{T1594}{Search Victim-Owned Websites}
\deftid{T1595.001}{Scanning IP Blocks}
\deftid{T1595.002}{Vulnerability Scanning}
\deftid{T1595}{Active Scanning}
\deftid{T1596.001}{DNS/Passive DNS}
\deftid{T1596.002}{WHOIS}
\deftid{T1596.003}{Digital Certificates}
\deftid{T1596.004}{CDNs}
\deftid{T1596.005}{Scan Databases}
\deftid{T1596}{Search Open Technical Databases}
\deftid{T1597.001}{Threat Intel Vendors}
\deftid{T1597.002}{Purchase Technical Data}
\deftid{T1597}{Search Closed Sources}
\deftid{T1598.001}{Spearphishing Service}
\deftid{T1598.002}{Spearphishing Attachment}
\deftid{T1598.003}{Spearphishing Link}
\deftid{T1598}{Phishing for Information}
\deftid{T1599.001}{Network Address Translation Traversal}
\deftid{T1599}{Network Boundary Bridging}
\deftid{T1600.001}{Reduce Key Space}
\deftid{T1600.002}{Disable Crypto Hardware}
\deftid{T1600}{Weaken Encryption}
\deftid{T1601.001}{Patch System Image}
\deftid{T1601.002}{Downgrade System Image}
\deftid{T1601}{Modify System Image}
\deftid{T1602.001}{SNMP (MIB Dump)}
\deftid{T1602.002}{Network Device Configuration Dump}
\deftid{T1602}{Data from Configuration Repository}
\deftid{T1606.001}{Web Cookies}
\deftid{T1606.002}{SAML Tokens}
\deftid{T1606}{Forge Web Credentials}
\deftid{T1608.001}{Upload Malware}
\deftid{T1608.002}{Upload Tool}
\deftid{T1608.003}{Install Digital Certificate}
\deftid{T1608.004}{Drive-by Target}
\deftid{T1608.005}{Link Target}
\deftid{T1608}{Stage Capabilities}
\deftid{T1609}{Container Administration Command}
\deftid{T1610}{Deploy Container}
\deftid{T1611}{Escape to Host}
\deftid{T1612}{Build Image on Host}
\deftid{T1613}{Container and Resource Discovery}
\deftid{T1614.001}{System Language Discovery}
\deftid{T1614}{System Location Discovery}
\deftid{T1615}{Group Policy Discovery}
\deftid{T1619}{Cloud Storage Object Discovery}
\deftid{T1620}{Reflective Code Loading}

## sample.tex
\documentclass{article}
\usepackage[utf8]{inputenc}

\input{mitre_attack}

\title{Demonstration}
\author{@Wietze}

\begin{document}

\maketitle

The MITRE ATT\&CK sub-technique \texttid{T1059.001} is part of technique \tidtext{T1059}. Due to \tid{T1059.001} being a rather broad attacker technique, it is one of the most popular ones.

\end{document}
	\documentclass{article}
	\usepackage[utf8]{inputenc}

	\input{mitre_attack}

	\title{Demonstration}
	\author{@Wietze}

	\begin{document}

	\maketitle

	The MITRE ATT\&CK sub-technique \texttid{T1059.001} is part of technique \tidtext{T1059}. Due to \tid{T1059.001} being a rather broad attacker technique, it is one of the most popular ones.

	\end{document}