MITRE ATTA&CK の日本語化プロジェクトです。(非公式)粛々と翻訳しています。(transifex)

本家はこちらです。 MITRE ATT&CK

v10は徐々に取り込みます。階層を検討中。

Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
10 techniques 7 techniques 9 techniques 12 techniques 19 techniques 13 techniques 40 techniques 15 techniques 29 techniques 9 techniques 17 techniques 16 techniques 9 techniques 13 techniques
=
Active Scanning (2)
 
Scanning IP Blocks
Vulnerability Scanning
=
Gather Victim Host Information (4)
 
Hardware
Software
Firmware
Client Configurations
=
Gather Victim Identity Information (3)
 
Credentials
Email Addresses
Employee Names
=
Gather Victim Network Information (6)
 
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
=
Gather Victim Org Information (4)
 
Business Relationships
Determine Physical Locations
Identify Business Tempo
Identify Roles
=
Phishing for Information (3)
 
Spearphishing Service
Spearphishing Attachment
Spearphishing Link
=
Search Closed Sources (2)
 
Threat Intel Vendors
Purchase Technical Data
=
Search Open Technical Databases (5)
 
WHOIS
DNS/Passive DNS
Digital Certificates
CDNs
Scan Databases
=
Search Open Websites/Domains (2)
 
Social Media
Search Engines
Search Victim-Owned Websites
=
Acquire Infrastructure (6)
 
Domains
DNS Server
Virtual Private Server
Server
Botnet
Web Services
=
Compromise Accounts (2)
 
Social Media Accounts
Email Accounts
=
Compromise Infrastructure (6)
 
Domains
DNS Server
Virtual Private Server
Server
Botnet
Web Services
=
Develop Capabilities (4)
 
Malware
Code Signing Certificates
Digital Certificates
Exploits
=
Establish Accounts (2)
 
Social Media Accounts
Email Accounts
=
Obtain Capabilities (6)
 
Malware
Tool
Code Signing Certificates
Digital Certificates
Exploits
Vulnerabilities
=
Stage Capabilities (5)
 
Upload Malware
Upload Tool
Install Digital Certificate
Drive-by Target
Link Target
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
=
Phishing (3)
 
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Replication Through Removable Media
=
Supply Chain Compromise (3)
 
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Compromise Hardware Supply Chain
Trusted Relationship
=
Valid Accounts (4)
 
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
=
Command and Scripting Interpreter (8)
 
PowerShell
AppleScript
Windows Command Shell
Unix Shell
Visual Basic
Python
JavaScript
Network Device CLI
Container Administration Command
Deploy Container
Exploitation for Client Execution
=
Inter-Process Communication (2)
 
Component Object Model
Dynamic Data Exchange
Native API
=
Scheduled Task/Job (6)
 
At (Windows)
Scheduled Task
At (Linux)
Cron
Systemd Timers
Container Orchestration Job
Shared Modules
Software Deployment Tools
=
System Services (2)
 
Launchctl
Service Execution
=
User Execution (3)
 
Malicious Link
Malicious File
Malicious Image
Windows Management Instrumentation
=
Account Manipulation (4)
 
Additional Cloud Credentials
Exchange Email Delegate Permissions
Add Office 365 Global Administrator Role
SSH Authorized Keys
BITS Jobs
=
Boot or Logon Autostart Execution (15)
 
Registry Run Keys / Startup Folder
Authentication Package
Time Providers
Winlogon Helper DLL
Security Support Provider
Kernel Modules and Extensions
Re-opened Applications
LSASS Driver
Shortcut Modification
Port Monitors
Plist Modification
Print Processors
XDG Autostart Entries
Active Setup
Login Items
=
Boot or Logon Initialization Scripts (5)
 
Logon Script (Windows)
Logon Script (Mac)
Network Logon Script
RC Scripts
Startup Items
Browser Extensions
Compromise Client Software Binary
=
Create Account (3)
 
Local Account
Domain Account
Cloud Account
=
Create or Modify System Process (4)
 
Launch Agent
Systemd Service
Windows Service
Launch Daemon
=
Event Triggered Execution (15)
 
Change Default File Association
Screensaver
Windows Management Instrumentation Event Subscription
Unix Shell Configuration Modification
Trap
LC_LOAD_DYLIB Addition
Netsh Helper DLL
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Image File Execution Options Injection
PowerShell Profile
Emond
Component Object Model Hijacking
External Remote Services
=
Hijack Execution Flow (11)
 
Services File Permissions Weakness
Executable Installer File Permissions Weakness
Services Registry Permissions Weakness
Path Interception by Unquoted Path
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
DLL Search Order Hijacking
DLL Side-Loading
Dynamic Linker Hijacking
Dylib Hijacking
COR_PROFILER
Implant Internal Image
=
Modify Authentication Process (4)
 
Domain Controller Authentication
Password Filter DLL
Pluggable Authentication Modules
Network Device Authentication
=
Office Application Startup (6)
 
Add-ins
Office Template Macros
Outlook Forms
Outlook Rules
Outlook Home Page
Office Test
=
Pre-OS Boot (5)
 
System Firmware
Component Firmware
Bootkit
ROMMONkit
TFTP Boot
=
Scheduled Task/Job (6)
 
At (Windows)
Scheduled Task
At (Linux)
Cron
Systemd Timers
Container Orchestration Job
=
Server Software Component (4)
 
SQL Stored Procedures
Transport Agent
Web Shell
IIS Components
=
Traffic Signaling (1)
 
Port Knocking
=
Valid Accounts (4)
 
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
=
Abuse Elevation Control Mechanism (4)
 
Setuid and Setgid
Bypass User Account Control
Sudo and Sudo Caching
Elevated Execution with Prompt
=
Access Token Manipulation (5)
 
Token Impersonation/Theft
Create Process with Token
Make and Impersonate Token
Parent PID Spoofing
SID-History Injection
=
Boot or Logon Autostart Execution (15)
 
Registry Run Keys / Startup Folder
Authentication Package
Time Providers
Winlogon Helper DLL
Security Support Provider
Kernel Modules and Extensions
Re-opened Applications
LSASS Driver
Shortcut Modification
Port Monitors
Plist Modification
Print Processors
XDG Autostart Entries
Active Setup
Login Items
=
Boot or Logon Initialization Scripts (5)
 
Logon Script (Windows)
Logon Script (Mac)
Network Logon Script
RC Scripts
Startup Items
=
Create or Modify System Process (4)
 
Launch Agent
Systemd Service
Windows Service
Launch Daemon
=
Domain Policy Modification (2)
 
Group Policy Modification
Domain Trust Modification
Escape to Host
=
Event Triggered Execution (15)
 
Change Default File Association
Screensaver
Windows Management Instrumentation Event Subscription
Unix Shell Configuration Modification
Trap
LC_LOAD_DYLIB Addition
Netsh Helper DLL
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Image File Execution Options Injection
PowerShell Profile
Emond
Component Object Model Hijacking
Exploitation for Privilege Escalation
=
Hijack Execution Flow (11)
 
Services File Permissions Weakness
Executable Installer File Permissions Weakness
Services Registry Permissions Weakness
Path Interception by Unquoted Path
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
DLL Search Order Hijacking
DLL Side-Loading
Dynamic Linker Hijacking
Dylib Hijacking
COR_PROFILER
=
Process Injection (11)
 
Dynamic-link Library Injection
Portable Executable Injection
Thread Execution Hijacking
Asynchronous Procedure Call
Thread Local Storage
Ptrace System Calls
Proc Memory
Extra Window Memory Injection
Process Doppelgänging
Process Hollowing
VDSO Hijacking
=
Scheduled Task/Job (6)
 
At (Windows)
Scheduled Task
At (Linux)
Cron
Systemd Timers
Container Orchestration Job
=
Valid Accounts (4)
 
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
=
Abuse Elevation Control Mechanism (4)
 
Setuid and Setgid
Bypass User Account Control
Sudo and Sudo Caching
Elevated Execution with Prompt
=
Access Token Manipulation (5)
 
Token Impersonation/Theft
Create Process with Token
Make and Impersonate Token
Parent PID Spoofing
SID-History Injection
BITS Jobs
Build Image on Host
Deobfuscate/Decode Files or Information
Deploy Container
Direct Volume Access
=
Domain Policy Modification (2)
 
Group Policy Modification
Domain Trust Modification
=
Execution Guardrails (1)
 
Environmental Keying
Exploitation for Defense Evasion
=
File and Directory Permissions Modification (2)
 
Windows File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification
=
Hide Artifacts (9)
 
Hidden Files and Directories
Hidden Users
Hidden Window
NTFS File Attributes
Hidden File System
Run Virtual Instance
VBA Stomping
Email Hiding Rules
Resource Forking
=
Hijack Execution Flow (11)
 
Services File Permissions Weakness
Executable Installer File Permissions Weakness
Services Registry Permissions Weakness
Path Interception by Unquoted Path
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
DLL Search Order Hijacking
DLL Side-Loading
Dynamic Linker Hijacking
Dylib Hijacking
COR_PROFILER
=
Impair Defenses (9)
 
Disable or Modify Tools
Disable Windows Event Logging
Impair Command History Logging
Disable or Modify System Firewall
Indicator Blocking
Disable or Modify Cloud Firewall
Disable Cloud Logs
Safe Mode Boot
Downgrade Attack
=
Indicator Removal on Host (6)
 
Clear Windows Event Logs
Clear Linux or Mac System Logs
Clear Command History
File Deletion
Network Share Connection Removal
Timestomp
Indirect Command Execution
=
Masquerading (7)
 
Invalid Code Signature
Right-to-Left Override
Rename System Utilities
Masquerade Task or Service
Match Legitimate Name or Location
Space after Filename
Double File Extension
=
Modify Authentication Process (4)
 
Domain Controller Authentication
Password Filter DLL
Pluggable Authentication Modules
Network Device Authentication
=
Modify Cloud Compute Infrastructure (4)
 
Create Snapshot
Create Cloud Instance
Delete Cloud Instance
Revert Cloud Instance
Modify Registry
=
Modify System Image (2)
 
Patch System Image
Downgrade System Image
=
Network Boundary Bridging (1)
 
Network Address Translation Traversal
=
Obfuscated Files or Information (6)
 
Binary Padding
Software Packing
Steganography
Compile After Delivery
Indicator Removal from Tools
HTML Smuggling
=
Pre-OS Boot (5)
 
System Firmware
Component Firmware
Bootkit
ROMMONkit
TFTP Boot
=
Process Injection (11)
 
Dynamic-link Library Injection
Portable Executable Injection
Thread Execution Hijacking
Asynchronous Procedure Call
Thread Local Storage
Ptrace System Calls
Proc Memory
Extra Window Memory Injection
Process Doppelgänging
Process Hollowing
VDSO Hijacking
Reflective Code Loading
Rogue Domain Controller
Rootkit
=
Signed Binary Proxy Execution (13)
 
Rundll32
Compiled HTML File
Control Panel
CMSTP
InstallUtil
Mshta
Regsvcs/Regasm
Regsvr32
Msiexec
Odbcconf
Verclsid
Mavinject
MMC
=
Signed Script Proxy Execution (1)
 
PubPrn
=
Subvert Trust Controls (6)
 
Gatekeeper Bypass
Code Signing
SIP and Trust Provider Hijacking
Install Root Certificate
Mark-of-the-Web Bypass
Code Signing Policy Modification
Template Injection
=
Traffic Signaling (1)
 
Port Knocking
=
Trusted Developer Utilities Proxy Execution (1)
 
MSBuild
Unused/Unsupported Cloud Regions
=
Use Alternate Authentication Material (4)
 
Pass the Hash
Pass the Ticket
Application Access Token
Web Session Cookie
=
Valid Accounts (4)
 
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
=
Virtualization/Sandbox Evasion (3)
 
System Checks
User Activity Based Checks
Time Based Evasion
=
Weaken Encryption (2)
 
Reduce Key Space
Disable Crypto Hardware
XSL Script Processing
=
Adversary-in-the-Middle (2)
 
LLMNR/NBT-NS Poisoning and SMB Relay
ARP Cache Poisoning
=
Brute Force (4)
 
Password Guessing
Password Cracking
Password Spraying
Credential Stuffing
=
Credentials from Password Stores (5)
 
Keychain
Securityd Memory
Credentials from Web Browsers
Windows Credential Manager
Password Managers
Exploitation for Credential Access
Forced Authentication
=
Forge Web Credentials (2)
 
Web Cookies
SAML Tokens
=
Input Capture (4)
 
Keylogging
GUI Input Capture
Web Portal Capture
Credential API Hooking
=
Modify Authentication Process (4)
 
Domain Controller Authentication
Password Filter DLL
Pluggable Authentication Modules
Network Device Authentication
Network Sniffing
=
OS Credential Dumping (8)
 
LSASS Memory
Security Account Manager
NTDS
DCSync
Proc Filesystem
/etc/passwd and /etc/shadow
Cached Domain Credentials
LSA Secrets
Steal Application Access Token
=
Steal or Forge Kerberos Tickets (4)
 
Golden Ticket
Silver Ticket
Kerberoasting
AS-REP Roasting
Steal Web Session Cookie
Two-Factor Authentication Interception
=
Unsecured Credentials (7)
 
Credentials In Files
Credentials in Registry
Bash History
Private Keys
Cloud Instance Metadata API
Group Policy Preferences
Container API
=
Account Discovery (4)
 
Local Account
Domain Account
Email Account
Cloud Account
Application Window Discovery
Browser Bookmark Discovery
Cloud Infrastructure Discovery
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
Container and Resource Discovery
Domain Trust Discovery
File and Directory Discovery
Group Policy Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (3)
 
Domain Groups
Cloud Groups
Local Groups
Process Discovery
Query Registry
Remote System Discovery
=
Software Discovery (1)
 
Security Software Discovery
System Information Discovery
=
System Location Discovery (1)
 
System Language Discovery
=
System Network Configuration Discovery (1)
 
Internet Connection Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
=
Virtualization/Sandbox Evasion (3)
 
System Checks
User Activity Based Checks
Time Based Evasion
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (2)
 
SSH Hijacking
RDP Hijacking
=
Remote Services (6)
 
Remote Desktop Protocol
SMB/Windows Admin Shares
Distributed Component Object Model
SSH
VNC
Windows Remote Management
Replication Through Removable Media
Software Deployment Tools
Taint Shared Content
=
Use Alternate Authentication Material (4)
 
Pass the Hash
Pass the Ticket
Application Access Token
Web Session Cookie
=
Adversary-in-the-Middle (2)
 
LLMNR/NBT-NS Poisoning and SMB Relay
ARP Cache Poisoning
=
Archive Collected Data (3)
 
Archive via Utility
Archive via Library
Archive via Custom Method
Audio Capture
Automated Collection
Browser Session Hijacking
Clipboard Data
Data from Cloud Storage Object
=
Data from Configuration Repository (2)
 
SNMP (MIB Dump)
Network Device Configuration Dump
=
Data from Information Repositories (3)
 
Confluence
Sharepoint
Code Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
=
Data Staged (2)
 
Local Data Staging
Remote Data Staging
=
Email Collection (3)
 
Local Email Collection
Remote Email Collection
Email Forwarding Rule
=
Input Capture (4)
 
Keylogging
GUI Input Capture
Web Portal Capture
Credential API Hooking
Screen Capture
Video Capture
=
Application Layer Protocol (4)
 
Web Protocols
File Transfer Protocols
Mail Protocols
DNS
Communication Through Removable Media
=
Data Encoding (2)
 
Standard Encoding
Non-Standard Encoding
=
Data Obfuscation (3)
 
Junk Data
Steganography
Protocol Impersonation
=
Dynamic Resolution (3)
 
Domain Generation Algorithms
Fast Flux DNS
DNS Calculation
=
Encrypted Channel (2)
 
Symmetric Cryptography
Asymmetric Cryptography
Fallback Channels
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
=
Proxy (4)
 
Internal Proxy
External Proxy
Multi-hop Proxy
Domain Fronting
Remote Access Software
=
Traffic Signaling (1)
 
Port Knocking
=
Web Service (3)
 
Dead Drop Resolver
Bidirectional Communication
One-Way Communication
=
Automated Exfiltration (1)
 
Traffic Duplication
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
 
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
 
Exfiltration Over Bluetooth
=
Exfiltration Over Physical Medium (1)
 
Exfiltration over USB
=
Exfiltration Over Web Service (2)
 
Exfiltration to Code Repository
Exfiltration to Cloud Storage
Scheduled Transfer
Transfer Data to Cloud Account
Account Access Removal
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (3)
 
Stored Data Manipulation
Transmitted Data Manipulation
Runtime Data Manipulation
=
Defacement (2)
 
Internal Defacement
External Defacement
=
Disk Wipe (2)
 
Disk Content Wipe
Disk Structure Wipe
=
Endpoint Denial of Service (4)
 
OS Exhaustion Flood
Service Exhaustion Flood
Application Exhaustion Flood
Application or System Exploitation
Firmware Corruption
Inhibit System Recovery
=
Network Denial of Service (2)
 
Direct Network Flood
Reflection Amplification
Resource Hijacking
Service Stop
System Shutdown/Reboot
Last modified: 03 November 2021