Direct Volume Access
Direct Volume Access (T1006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may directly access a volume to bypass file access controls and file system monitoring.
Stealth
2 platforms
Loading AttackTrace...
Loading AttackTrace...
ATT&CK tactic
149 techniques mapped to this tactic.
Direct Volume Access (T1006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may directly access a volume to bypass file access controls and file system monitoring.
Rootkit (T1014) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
Obfuscated Files or Information (T1027) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Binary Padding (T1027.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use binary padding to add junk data and change the on disk representation of malware.
Software Packing (T1027.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may perform software packing or virtual machine software protection to conceal their code.
Steganography (T1027.003) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use steganography techniques in order to prevent the detection of hidden information.
Compile After Delivery (T1027.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code.
Indicator Removal from Tools (T1027.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed.
HTML Smuggling (T1027.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
Dynamic API Resolution (T1027.007) is a MITRE ATT&CK technique associated with Stealth . Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis.
Stripped Payloads (T1027.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information.
Embedded Payloads (T1027.009) is a MITRE ATT&CK technique associated with Stealth . Adversaries may embed payloads within other files to conceal malicious content from defenses.
Command Obfuscation (T1027.010) is a MITRE ATT&CK technique associated with Stealth . Adversaries may obfuscate content during command execution to impede detection.
Fileless Storage (T1027.011) is a MITRE ATT&CK technique associated with Stealth . Adversaries may store data in "fileless" formats to conceal malicious activity from defenses.
LNK Icon Smuggling (T1027.012) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files.
Encrypted/Encoded File (T1027.013) is a MITRE ATT&CK technique associated with Stealth . Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.
Polymorphic Code (T1027.014) is a MITRE ATT&CK technique associated with Stealth . Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection.
Compression (T1027.015) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use compression to obfuscate their payloads or files.
Junk Code Insertion (T1027.016) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use junk code / dead code to obfuscate a malware’s functionality.
SVG Smuggling (T1027.017) is a MITRE ATT&CK technique associated with Stealth . Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs, or Scalable Vector Graphics, are vector based image files constr…
Invisible Unicode (T1027.018) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse invisible or non printing Unicode characters to conceal malicious content within files, scripts, or text.
Masquerading (T1036) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
Invalid Code Signature (T1036.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool.
Right to Left Override (T1036.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse the right to left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign.
Rename Legitimate Utilities (T1036.003) is a MITRE ATT&CK technique associated with Stealth . Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities.
Masquerade Task or Service (T1036.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign.
Match Legitimate Resource Name or Location (T1036.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them.
Space after Filename (T1036.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries can hide a program's true filetype by changing the extension of a file.
Double File Extension (T1036.007) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse a double extension in the filename as a means of masquerading the true file type.
Masquerade File Type (T1036.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents.
Break Process Trees (T1036.009) is a MITRE ATT&CK technique associated with Stealth . An adversary may attempt to evade process tree based analysis by modifying executed malware's parent process ID (PPID).
Masquerade Account Name (T1036.010) is a MITRE ATT&CK technique associated with Stealth . Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.
Overwrite Process Arguments (T1036.011) is a MITRE ATT&CK technique associated with Stealth . Adversaries may modify a process's in memory arguments to change its name in order to appear as a legitimate or benign process.
Browser Fingerprint (T1036.012) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user agent string, resolution, time zon…
Process Injection (T1055) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject code into processes in order to evade process based defenses as well as possibly elevate privileges.
Dynamic link Library Injection (T1055.001) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject dynamic link libraries (DLLs) into processes in order to evade process based defenses as well as possibly elevate privileges.
Portable Executable Injection (T1055.002) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject portable executables (PE) into processes in order to evade process based defenses as well as possibly elevate privileges.
Thread Execution Hijacking (T1055.003) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into hijacked processes in order to evade process based defenses as well as possibly elevate privileges.
Asynchronous Procedure Call (T1055.004) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process based defenses as well as possibly…
Thread Local Storage (T1055.005) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process based defenses as well as possibly elevate privi…
Ptrace System Calls (T1055.008) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process based defenses as well as possibly elevate privile…
Proc Memory (T1055.009) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process based defenses as well as possibly elevate privileges.
Extra Window Memory Injection (T1055.011) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process based defenses as well as possibly elevate privileges.
Process Hollowing (T1055.012) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into suspended and hollowed processes in order to evade process based defenses.
Process Doppelgänging (T1055.013) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into process via process doppelgänging in order to evade process based defenses as well as possibly elevate privileges.
VDSO Hijacking (T1055.014) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process based defenses as well as possibly elevate privileges.
ListPlanting (T1055.015) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may abuse list view controls to inject malicious code into hijacked processes in order to evade process based defenses as well as possibly elevate privileges.
Indicator Removal (T1070) is a MITRE ATT&CK technique associated with Stealth . Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity.
Clear Command History (T1070.003) is a MITRE ATT&CK technique associated with Stealth . In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
File Deletion (T1070.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may delete files left behind by the actions of their intrusion activity.
Network Share Connection Removal (T1070.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
Timestomp (T1070.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may modify file time attributes to hide new files or changes to existing files.
Clear Network Connection History and Configurations (T1070.007) is a MITRE ATT&CK technique associated with Stealth . Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations.
Clear Mailbox Data (T1070.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may modify mail and mail application data to remove evidence of their activity.
Clear Persistence (T1070.009) is a MITRE ATT&CK technique associated with Stealth . Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity.
Relocate Malware (T1070.010) is a MITRE ATT&CK technique associated with Stealth . Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses.
Valid Accounts (T1078) is a MITRE ATT&CK technique associated with Stealth, Persistence, Privilege Escalation, Initial Access . Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense…
Default Accounts (T1078.001) is a MITRE ATT&CK technique associated with Stealth, Persistence, Privilege Escalation, Initial Access . Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or D…
Domain Accounts (T1078.002) is a MITRE ATT&CK technique associated with Stealth, Persistence, Privilege Escalation, Initial Access . Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Def…
Local Accounts (T1078.003) is a MITRE ATT&CK technique associated with Stealth, Persistence, Privilege Escalation, Initial Access . Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defen…
Cloud Accounts (T1078.004) is a MITRE ATT&CK technique associated with Stealth, Persistence, Privilege Escalation, Initial Access . Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or De…
Trusted Developer Utilities Proxy Execution (T1127) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.
MSBuild (T1127.001) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility.
ClickOnce (T1127.002) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use ClickOnce applications (.appref ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to…
JamPlus (T1127.003) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use JamPlus to proxy the execution of a malicious script.
Access Token Manipulation (T1134) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
Token Impersonation/Theft (T1134.001) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls.
Create Process with Token (T1134.002) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may create a new process with an existing token to escalate privileges and bypass access controls.
Make and Impersonate Token (T1134.003) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls.
Parent PID Spoofing (T1134.004) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may spoof the parent process identifier (PPID) of a new process to evade process monitoring defenses or to elevate privileges.
SID History Injection (T1134.005) is a MITRE ATT&CK technique associated with Stealth, Privilege Escalation . Adversaries may use SID History Injection to escalate privileges and bypass access controls.
Deobfuscate/Decode Files or Information (T1140) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.
BITS Jobs (T1197) is a MITRE ATT&CK technique associated with Stealth, Persistence, Execution . Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.
Indirect Command Execution (T1202) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command line interpreters.
Traffic Signaling (T1205) is a MITRE ATT&CK technique associated with Stealth, Persistence, Command and Control . Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control.
Port Knocking (T1205.001) is a MITRE ATT&CK technique associated with Stealth, Persistence, Command and Control . Adversaries may use port knocking to hide open ports used for persistence or command and control.
Socket Filters (T1205.002) is a MITRE ATT&CK technique associated with Stealth, Persistence, Command and Control . Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control.
Exploitation for Stealth (T1211) is a MITRE ATT&CK technique associated with Stealth . Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
System Script Proxy Execution (T1216) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files.
PubPrn (T1216.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use PubPrn to proxy execution of malicious remote files.
SyncAppvPublishingServer (T1216.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands.
System Binary Proxy Execution (T1218) is a MITRE ATT&CK technique associated with Stealth . Adversaries may bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.
Compiled HTML File (T1218.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code.
Control Panel (T1218.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse control.exe to proxy execution of malicious payloads.
CMSTP (T1218.003) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse CMSTP to proxy execution of malicious code.
InstallUtil (T1218.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.
Mshta (T1218.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.
Msiexec (T1218.007) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
Odbcconf (T1218.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads.
Regsvcs/Regasm (T1218.009) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.
Regsvr32 (T1218.010) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse Regsvr32.exe to proxy execution of malicious code.
Rundll32 (T1218.011) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse rundll32.exe to proxy execution of malicious code.
Verclsid (T1218.012) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse verclsid.exe to proxy execution of malicious code.
Mavinject (T1218.013) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse mavinject.exe to proxy execution of malicious code.
MMC (T1218.014) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse mmc.exe to proxy execution of malicious .msc files.
Electron Applications (T1218.015) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse components of the Electron framework to execute malicious code.
XSL Script Processing (T1220) is a MITRE ATT&CK technique associated with Stealth . Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files.
Template Injection (T1221) is a MITRE ATT&CK technique associated with Stealth . Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Execution Guardrails (T1480) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target.
Environmental Keying (T1480.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment.
Mutual Exclusion (T1480.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may constrain execution or actions based on the presence of a mutex associated with malware.
Virtualization/Sandbox Evasion (T1497) is a MITRE ATT&CK technique associated with Stealth, Discovery . Adversaries may employ various means to detect and avoid virtualization and analysis environments.
System Checks (T1497.001) is a MITRE ATT&CK technique associated with Stealth, Discovery . Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
User Activity Based Checks (T1497.002) is a MITRE ATT&CK technique associated with Stealth, Discovery . Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments.
Time Based Checks (T1497.003) is a MITRE ATT&CK technique associated with Stealth, Discovery . Adversaries may employ various time based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer…
Unused/Unsupported Cloud Regions (T1535) is a MITRE ATT&CK technique associated with Stealth . Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
Pre OS Boot (T1542) is a MITRE ATT&CK technique associated with Stealth, Persistence . Adversaries may abuse Pre OS Boot mechanisms as a way to establish persistence on a system.
System Firmware (T1542.001) is a MITRE ATT&CK technique associated with Stealth, Persistence . System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity.
Component Firmware (T1542.002) is a MITRE ATT&CK technique associated with Stealth, Persistence . Adversaries may modify component firmware to persist on systems.
Bootkit (T1542.003) is a MITRE ATT&CK technique associated with Stealth, Persistence . Adversaries may use bootkits to persist on systems.
ROMMONkit (T1542.004) is a MITRE ATT&CK technique associated with Stealth, Persistence . Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect.
TFTP Boot (T1542.005) is a MITRE ATT&CK technique associated with Stealth, Persistence . Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server.
Pass the Hash (PtH) is the reuse of an NTLM password hash to authenticate without recovering the account's plaintext password. An adversary who obtains a reusable hash may authenticate to services that accept NTLM and operate with the victim account's privileges. The activity…
Hide Artifacts (T1564) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.
Hidden Files and Directories (T1564.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may set files and directories to be hidden to evade detection mechanisms.
Hidden Users (T1564.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use hidden users to hide the presence of user accounts they create or modify.
Hidden Window (T1564.003) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
NTFS File Attributes (T1564.004) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection.
Hidden File System (T1564.005) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use a hidden file system to conceal malicious activity from users and security tools.
Run Virtual Instance (T1564.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may carry out malicious operations using a virtual instance to avoid detection.
VBA Stomping (T1564.007) is a MITRE ATT&CK technique associated with Stealth . MS Office documents with embedded VBA content store source code inside of module streams.
Email Hiding Rules (T1564.008) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use email rules to hide inbound emails in a compromised user's mailbox.
Resource Forking (T1564.009) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.
Process Argument Spoofing (T1564.010) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to hide process command line arguments by overwriting process memory.
Ignore Process Interrupts (T1564.011) is a MITRE ATT&CK technique associated with Stealth . Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals.
File/Path Exclusions (T1564.012) is a MITRE ATT&CK technique associated with Stealth . Adversaries may attempt to hide their file based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities.
Bind Mounts (T1564.013) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities.
Extended Attributes (T1564.014) is a MITRE ATT&CK technique associated with Stealth . Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection.
Hijack Execution Flow (T1574) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
DLL (T1574.001) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may abuse dynamic link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Dylib Hijacking (T1574.004) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Executable Installer File Permissions Weakness (T1574.005) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.
Dynamic Linker Hijacking (T1574.006) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Path Interception by PATH Environment Variable (T1574.007) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Path Interception by Search Order Hijacking (T1574.008) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Path Interception by Unquoted Path (T1574.009) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Services File Permissions Weakness (T1574.010) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Services Registry Permissions Weakness (T1574.011) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
COR PROFILER (T1574.012) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may leverage the COR PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
KernelCallbackTable (T1574.013) is a MITRE ATT&CK technique associated with Stealth, Execution . An adversary may hijack the execution flow of a process using the <code KernelCallbackTable</code by replacing an original callback function with a malicious payload.
AppDomainManager (T1574.014) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies.
Build Image on Host (T1612) is a MITRE ATT&CK technique associated with Stealth . Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry.
Reflective Code Loading (T1620) is a MITRE ATT&CK technique associated with Stealth . Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.
Debugger Evasion (T1622) is a MITRE ATT&CK technique associated with Stealth, Discovery . Adversaries may employ various means to detect and avoid debuggers.
Delay Execution (T1678) is a MITRE ATT&CK technique associated with Stealth . Adversaries may employ various time based methods to evade detection and analysis.
Selective Exclusion (T1679) is a MITRE ATT&CK technique associated with Stealth . Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution.
Social Engineering (T1684) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of a…
Impersonation (T1684.001) is a MITRE ATT&CK technique associated with Stealth . Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Email Spoofing (T1684.002) is a MITRE ATT&CK technique associated with Stealth . Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.  In addition to actual ema…