MITRE ATTA&CK 日本語化プロジェクト

MITRE ATTA&CK の日本語化プロジェクトです。粛々と翻訳しています。

本家はこちらです。　MITRE ATT&CK

v12を取り込み中。

訳が明らかにおかしいときは、教えてください。連絡先:@amj_trans

TA0043
Reconnaissance
偵察

TA0042
Resource Development
攻撃態勢の確立

TA0001
Initial Access
接触

TA0002
Execution
実行

TA0003
Persistence
永続化

TA0004
Privilege Escalation
権限昇格

TA0005
Defense Evasion
防衛回避

TA0006
Credential Access
認証情報へのアクセス

TA0007
Discovery
探索

TA0008
Lateral Movement
ラテラルムーブメント（侵入拡大）

TA0009
Collection
収集

TA0011
Command and Control
コマンドアンドコントロール(C&C)

TA0010
Exfiltration
持ち出し

TA0040
Impact
影響

10 techniques

7 techniques

9 techniques

13 techniques

19 techniques

13 techniques

42 techniques

17 techniques

30 techniques

9 techniques

17 techniques

16 techniques

9 techniques

13 techniques

=	Active Scanning ₍₃₎
	Scanning IP Blocks Vulnerability Scanning Wordlist Scanning

=	Gather Victim Host Information ₍₄₎
	Hardware Software Firmware Client Configurations

=	Gather Victim Identity Information ₍₃₎
	Credentials Email Addresses Employee Names

=	Gather Victim Network Information ₍₆₎
	Domain Properties DNS Network Trust Dependencies Network Topology IP Addresses Network Security Appliances

=	Gather Victim Org Information ₍₄₎
	Determine Physical Locations Business Relationships Identify Business Tempo Identify Roles

=	Phishing for Information ₍₃₎
	Spearphishing Service Spearphishing Attachment Spearphishing Link

=	Search Closed Sources ₍₂₎
	Threat Intel Vendors Purchase Technical Data

=	Search Open Technical Databases ₍₅₎
	DNS/Passive DNS WHOIS Digital Certificates CDNs Scan Databases

=	Search Open Websites/Domains ₍₃₎
	Social Media Search Engines Code Repositories

Search Victim-Owned Websites

=	Acquire Infrastructure ₍₇₎ 攻撃インフラの獲得
	Domains DNS Server Virtual Private Server Server Botnet Web Services Serverless

=	Compromise Accounts ₍₃₎アカウントの侵害
	Social Media Accounts Email Accounts Cloud Accounts

=	Compromise Infrastructure ₍₇₎インフラの侵害
	Domains DNS Server Virtual Private Server Server Botnet Web Services Serverless

=	Develop Capabilities ₍₄₎武器の開発
	Malware Code Signing Certificates Digital Certificates Exploits

=	Establish Accounts ₍₃₎アカウントの作成
	Social Media Accounts Email Accounts Cloud Accounts

=	Obtain Capabilities ₍₆₎武器の獲得
	Malware Tool Code Signing Certificates Digital Certificates Exploits Vulnerabilities

=	Stage Capabilities ₍₆₎武器の集結
	Upload Malware Upload Tool Install Digital Certificate Drive-by Target Link Target SEO Poisoning

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

=	Phishing ₍₃₎
	Spearphishing Attachment Spearphishing Link Spearphishing via Service

Replication Through Removable Media

=	Supply Chain Compromise ₍₃₎
	Compromise Software Dependencies and Development Tools Compromise Software Supply Chain Compromise Hardware Supply Chain

Trusted Relationship

=	Valid Accounts ₍₄₎
	Default Accounts Domain Accounts Local Accounts Cloud Accounts

=	Command and Scripting Interpreter ₍₈₎
	PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript Network Device CLI

Container Administration Command

Deploy Container

Exploitation for Client Execution

=	Inter-Process Communication ₍₃₎
	Component Object Model Dynamic Data Exchange XPC Services

Native API

=	Scheduled Task/Job ₍₅₎
	At Cron Scheduled Task Systemd Timers Container Orchestration Job

Serverless Execution
サーバーレス実行

Shared Modules

Software Deployment Tools

=	System Services ₍₂₎
	Launchctl Service Execution

=	User Execution ₍₃₎
	Malicious Link Malicious File Malicious Image

Windows Management Instrumentation

=	Account Manipulation ₍₅₎
	Additional Cloud Credentials Additional Email Delegate Permissions Additional Cloud Roles SSH Authorized Keys Device Registration

BITS Jobs

=	Boot or Logon Autostart Execution ₍₁₄₎ ブートまたはログオン時の自動実行
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Print Processors XDG Autostart Entries Active Setup Login Items

=	Boot or Logon Initialization Scripts ₍₅₎ ブートまたはログオン時の初期化スクリプト
	Logon Script (Windows) Login Hook Network Logon Script RC Scripts Startup Items

Browser Extensions

Compromise Client Software Binary

=	Create Account ₍₃₎
	Local Account Domain Account Cloud Account

=	Create or Modify System Process ₍₄₎
	Launch Agent Systemd Service Windows Service Launch Daemon

=	Event Triggered Execution ₍₁₆₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Installer Packages

External Remote Services

=	Hijack Execution Flow ₍₁₂₎
	DLL Search Order Hijacking DLL Side-Loading Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable

Implant Internal Image

=	Modify Authentication Process ₍₇₎
	Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Reversible Encryption Multi-Factor Authentication Hybrid Identity

=	Office Application Startup ₍₆₎
	Office Template Macros Office Test Outlook Forms Outlook Home Page Outlook Rules Add-ins

=	Pre-OS Boot ₍₅₎
	System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot

=	Scheduled Task/Job ₍₅₎
	At Cron Scheduled Task Systemd Timers Container Orchestration Job

=	Server Software Component ₍₅₎
	SQL Stored Procedures Transport Agent Web Shell IIS Components Terminal Services DLL

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Valid Accounts ₍₄₎
	Default Accounts Domain Accounts Local Accounts Cloud Accounts

=	Abuse Elevation Control Mechanism ₍₄₎権限制御機構の悪用
	Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

=	Boot or Logon Autostart Execution ₍₁₄₎ ブートまたはログオン時の自動実行
	Registry Run Keys / Startup Folder Authentication Package Time Providers Winlogon Helper DLL Security Support Provider Kernel Modules and Extensions Re-opened Applications LSASS Driver Shortcut Modification Port Monitors Print Processors XDG Autostart Entries Active Setup Login Items

=	Boot or Logon Initialization Scripts ₍₅₎
	Logon Script (Windows) Login Hook Network Logon Script RC Scripts Startup Items

=	Create or Modify System Process ₍₄₎
	Launch Agent Systemd Service Windows Service Launch Daemon

=	Domain Policy Modification ₍₂₎
	Group Policy Modification Domain Trust Modification

Escape to Host

=	Event Triggered Execution ₍₁₆₎
	Change Default File Association Screensaver Windows Management Instrumentation Event Subscription Unix Shell Configuration Modification Trap LC_LOAD_DYLIB Addition Netsh Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Image File Execution Options Injection PowerShell Profile Emond Component Object Model Hijacking Installer Packages

Exploitation for Privilege Escalation

=	Hijack Execution Flow ₍₁₂₎
	DLL Search Order Hijacking DLL Side-Loading Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable

=	Process Injection ₍₁₂₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Hollowing Process Doppelgänging VDSO Hijacking ListPlanting

=	Scheduled Task/Job ₍₅₎
	At Cron Scheduled Task Systemd Timers Container Orchestration Job

=	Valid Accounts ₍₄₎
	Default Accounts Domain Accounts Local Accounts Cloud Accounts

=	Abuse Elevation Control Mechanism ₍₄₎権限制御機構の悪用
	Setuid and Setgid Bypass User Account Control Sudo and Sudo Caching Elevated Execution with Prompt

=	Access Token Manipulation ₍₅₎
	Token Impersonation/Theft Create Process with Token Make and Impersonate Token Parent PID Spoofing SID-History Injection

BITS Jobs

Build Image on Host
ホスト上でのイメージビルド

Debugger Evasion
デバッガ回避

Deobfuscate/Decode Files or Information

Deploy Container

Direct Volume Access

=	Domain Policy Modification ₍₂₎
	Group Policy Modification Domain Trust Modification

=	Execution Guardrails ₍₁₎
	Environmental Keying

Exploitation for Defense Evasion

=	File and Directory Permissions Modification ₍₂₎
	Windows File and Directory Permissions Modification Linux and Mac File and Directory Permissions Modification

=	Hide Artifacts ₍₁₀₎
	Hidden Files and Directories Hidden Users Hidden Window NTFS File Attributes Hidden File System Run Virtual Instance VBA Stomping Email Hiding Rules Resource Forking Process Argument Spoofing

=	Hijack Execution Flow ₍₁₂₎
	DLL Search Order Hijacking DLL Side-Loading Dylib Hijacking Executable Installer File Permissions Weakness Dynamic Linker Hijacking Path Interception by PATH Environment Variable Path Interception by Search Order Hijacking Path Interception by Unquoted Path Services File Permissions Weakness Services Registry Permissions Weakness COR_PROFILER KernelCallbackTable

=	Impair Defenses ₍₉₎
	Disable or Modify Tools Disable Windows Event Logging Impair Command History Logging Disable or Modify System Firewall Indicator Blocking Disable or Modify Cloud Firewall Disable Cloud Logs Safe Mode Boot Downgrade Attack

=	Indicator Removal ₍₉₎ 痕跡消去
	Clear Windows Event Logs Clear Linux or Mac System Logs Clear Command History File Deletion Network Share Connection Removal Timestomp Clear Network Connection History and Configurations Clear Mailbox Data Clear Persistence

Indirect Command Execution

=	Masquerading ₍₇₎
	Invalid Code Signature Right-to-Left Override Rename System Utilities Masquerade Task or Service Match Legitimate Name or Location Space after Filename Double File Extension

=	Modify Authentication Process ₍₇₎
	Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Reversible Encryption Multi-Factor Authentication Hybrid Identity

=	Modify Cloud Compute Infrastructure ₍₄₎
	Create Snapshot Create Cloud Instance Delete Cloud Instance Revert Cloud Instance

Modify Registry

=	Modify System Image ₍₂₎
	Patch System Image Downgrade System Image

=	Network Boundary Bridging ₍₁₎
	Network Address Translation Traversal

=	Obfuscated Files or Information ₍₉₎
	Binary Padding Software Packing Steganography Compile After Delivery Indicator Removal from Tools HTML Smuggling Dynamic API Resolution Stripped Payloads Embedded Payloads

Plist File Modification

=	Pre-OS Boot ₍₅₎
	System Firmware Component Firmware Bootkit ROMMONkit TFTP Boot

=	Process Injection ₍₁₂₎
	Dynamic-link Library Injection Portable Executable Injection Thread Execution Hijacking Asynchronous Procedure Call Thread Local Storage Ptrace System Calls Proc Memory Extra Window Memory Injection Process Hollowing Process Doppelgänging VDSO Hijacking ListPlanting

Reflective Code Loading

Rogue Domain Controller

Rootkit

=	Subvert Trust Controls ₍₆₎
	Gatekeeper Bypass Code Signing SIP and Trust Provider Hijacking Install Root Certificate Mark-of-the-Web Bypass Code Signing Policy Modification

=	System Binary Proxy Execution ₍₁₃₎
	Compiled HTML File Control Panel CMSTP InstallUtil Mshta Msiexec Odbcconf Regsvcs/Regasm Regsvr32 Rundll32 Verclsid Mavinject MMC

=	System Script Proxy Execution ₍₁₎
	PubPrn

Template Injection

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Trusted Developer Utilities Proxy Execution ₍₁₎
	MSBuild

Unused/Unsupported Cloud Regions

=	Use Alternate Authentication Material ₍₄₎
	Application Access Token Pass the Hash Pass the Ticket Web Session Cookie

=	Valid Accounts ₍₄₎
	Default Accounts Domain Accounts Local Accounts Cloud Accounts

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

=	Weaken Encryption ₍₂₎
	Reduce Key Space Disable Crypto Hardware

XSL Script Processing

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Brute Force ₍₄₎
	Password Guessing Password Cracking Password Spraying Credential Stuffing

=	Credentials from Password Stores ₍₅₎
	Keychain Securityd Memory Credentials from Web Browsers Windows Credential Manager Password Managers

Exploitation for Credential Access

Forced Authentication

=	Forge Web Credentials ₍₂₎
	Web Cookies SAML Tokens

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

=	Modify Authentication Process ₍₇₎
	Domain Controller Authentication Password Filter DLL Pluggable Authentication Modules Network Device Authentication Reversible Encryption Multi-Factor Authentication Hybrid Identity

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation
多要素認証リクエストの生成

Network Sniffing

=	OS Credential Dumping ₍₈₎
	LSASS Memory Security Account Manager NTDS LSA Secrets Cached Domain Credentials DCSync Proc Filesystem /etc/passwd and /etc/shadow

Steal Application Access Token

Steal or Forge Authentication Certificates

=	Steal or Forge Kerberos Tickets ₍₄₎
	Golden Ticket Silver Ticket Kerberoasting AS-REP Roasting

Steal Web Session Cookie

=	Unsecured Credentials ₍₇₎
	Credentials In Files Credentials in Registry Bash History Private Keys Cloud Instance Metadata API Group Policy Preferences Container API

=	Account Discovery ₍₄₎
	Local Account Domain Account Email Account Cloud Account

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Cloud Storage Object Discovery

Container and Resource Discovery

Debugger Evasion
デバッガ回避

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

=	Permission Groups Discovery ₍₃₎
	Local Groups Domain Groups Cloud Groups

Process Discovery

Query Registry

Remote System Discovery

=	Software Discovery ₍₁₎
	Security Software Discovery

System Information Discovery

=	System Location Discovery ₍₁₎
	System Language Discovery

=	System Network Configuration Discovery ₍₁₎
	Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

=	Virtualization/Sandbox Evasion ₍₃₎
	System Checks User Activity Based Checks Time Based Evasion

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

=	Remote Service Session Hijacking ₍₂₎
	SSH Hijacking RDP Hijacking

=	Remote Services ₍₆₎
	Remote Desktop Protocol SMB/Windows Admin Shares Distributed Component Object Model SSH VNC Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

=	Use Alternate Authentication Material ₍₄₎
	Application Access Token Pass the Hash Pass the Ticket Web Session Cookie

=	Adversary-in-the-Middle ₍₃₎
	LLMNR/NBT-NS Poisoning and SMB Relay ARP Cache Poisoning DHCP Spoofing

=	Archive Collected Data ₍₃₎
	Archive via Utility Archive via Library Archive via Custom Method

Audio Capture

Automated Collection

Browser Session Hijacking

Clipboard Data

Data from Cloud Storage

=	Data from Configuration Repository ₍₂₎
	SNMP (MIB Dump) Network Device Configuration Dump

=	Data from Information Repositories ₍₃₎
	Confluence Sharepoint Code Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

=	Data Staged ₍₂₎
	Local Data Staging Remote Data Staging

=	Email Collection ₍₃₎
	Local Email Collection Remote Email Collection Email Forwarding Rule

=	Input Capture ₍₄₎
	Keylogging GUI Input Capture Web Portal Capture Credential API Hooking

Screen Capture

Video Capture

=	Application Layer Protocol ₍₄₎
	Web Protocols File Transfer Protocols Mail Protocols DNS

Communication Through Removable Media

=	Data Encoding ₍₂₎
	Standard Encoding Non-Standard Encoding

=	Data Obfuscation ₍₃₎
	Junk Data Steganography Protocol Impersonation

=	Dynamic Resolution ₍₃₎
	Fast Flux DNS Domain Generation Algorithms DNS Calculation

=	Encrypted Channel ₍₂₎ 暗号化されたチャネル
	Symmetric Cryptography Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

=	Proxy ₍₄₎
	Internal Proxy External Proxy Multi-hop Proxy Domain Fronting

Remote Access Software

=	Traffic Signaling ₍₂₎
	Port Knocking Socket Filters

=	Web Service ₍₃₎
	Dead Drop Resolver Bidirectional Communication One-Way Communication

=	Automated Exfiltration ₍₁₎
	Traffic Duplication

Data Transfer Size Limits

=	Exfiltration Over Alternative Protocol ₍₃₎
	Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

=	Exfiltration Over Other Network Medium ₍₁₎
	Exfiltration Over Bluetooth

=	Exfiltration Over Physical Medium ₍₁₎
	Exfiltration over USB

=	Exfiltration Over Web Service ₍₂₎
	Exfiltration to Code Repository Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal
アカウント削除

Data Destruction

Data Encrypted for Impact

=	Data Manipulation ₍₃₎
	Stored Data Manipulation Transmitted Data Manipulation Runtime Data Manipulation

=	Defacement ₍₂₎
	Internal Defacement External Defacement

=	Disk Wipe ₍₂₎
	Disk Content Wipe Disk Structure Wipe

=	Endpoint Denial of Service ₍₄₎
	OS Exhaustion Flood Service Exhaustion Flood Application Exhaustion Flood Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

=	Network Denial of Service ₍₂₎
	Direct Network Flood Reflection Amplification

Resource Hijacking

Service Stop

System Shutdown/Reboot

Last modified: 01 April 2022

MITRE ATTA&CK 日本語化プロジェクト

MITRE ATT&CK 日本語化プロジェクト