NetWitness Threat Content (by MITRE ATT&CK Technique)

Reconnaissance
10 Techniques

Scanning IP Blocks

Vulnerability Scanning

Wordlist Scanning

Client Configurations

Firmware

Hardware

Software

Credentials

Email Addresses

Employee Names

DNS (1)

Domain Properties

IP Addresses

Network Security Appliances

Network Topology

Network Trust Dependencies

Business Relationships

Determine Physical Locations

Identify Business Tempo

Identify Roles

Spearphishing Attachment (1)

Spearphishing Link

Spearphishing Service

Purchase Technical Data

Threat Intel Vendors

CDNs

DNS/Passive DNS

Digital Certificates (2)

Scan Databases

WHOIS

Code Repositories

Search Engines

Social Media

Resource Development
7 Techniques

Botnet

DNS Server

Domains

Server

Serverless

Virtual Private Server

Web Services

Cloud Accounts (3)

Email Accounts

Social Media Accounts

Botnet

DNS Server (1)

Domains

Server

Serverless

Virtual Private Server

Web Services

Code Signing Certificates

Digital Certificates (2)

Exploits

Malware (3)

Cloud Accounts

Email Accounts

Social Media Accounts

Code Signing Certificates

Digital Certificates

Exploits

Malware

Tool

Vulnerabilities

Drive-by Target

Install Digital Certificate

Link Target

SEO Poisoning

Upload Malware

Upload Tool

Initial Access
9 Techniques

Spearphishing Attachment (17)

Spearphishing Link (2)

Spearphishing via Service

Compromise Hardware Supply Chain

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Cloud Accounts (3)

Default Accounts (1)

Domain Accounts (2)

Local Accounts (2)

Execution
13 Techniques

AppleScript (1)

JavaScript (7)

Network Device CLI

PowerShell (31)

Python (1)

Unix Shell (3)

Visual Basic (1)

Windows Command Shell (14)

Component Object Model

Dynamic Data Exchange

XPC Services

At

Container Orchestration Job

Cron (2)

Scheduled Task (12)

Systemd Timers

Launchctl (1)

Service Execution (30)

Malicious File (13)

Malicious Image

Malicious Link (6)

Persistence
19 Techniques

Additional Cloud Credentials (2)

Additional Cloud Roles

Additional Email Delegate Permissions

Device Registration

SSH Authorized Keys (1)

Active Setup (1)

Authentication Package (1)

Kernel Modules and Extensions (1)

LSASS Driver (4)

Login Items

Port Monitors (1)

Print Processors (1)

Re-opened Applications

Registry Run Keys / Startup Folder (12)

Security Support Provider (1)

Shortcut Modification

Time Providers (2)

Winlogon Helper DLL (2)

XDG Autostart Entries

Login Hook

Logon Script (Windows) (1)

Network Logon Script

RC Scripts

Startup Items (1)

Cloud Account (7)

Domain Account (1)

Local Account (1)

Launch Agent (2)

Launch Daemon (3)

Systemd Service

Windows Service (13)

Accessibility Features (4)

AppCert DLLs (1)

AppInit DLLs (2)

Application Shimming (2)

Change Default File Association (2)

Component Object Model Hijacking (1)

Emond

Image File Execution Options Injection (1)

Installer Packages

LC_LOAD_DYLIB Addition

Netsh Helper DLL (1)

PowerShell Profile

Screensaver

Trap

Unix Shell Configuration Modification

Windows Management Instrumentation Event Subscription (2)

COR_PROFILER

DLL Search Order Hijacking (2)

DLL Side-Loading (1)

Dylib Hijacking (1)

Dynamic Linker Hijacking (1)

Executable Installer File Permissions Weakness

KernelCallbackTable

Path Interception by PATH Environment Variable (1)

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness (1)

Domain Controller Authentication

Hybrid Identity

Multi-Factor Authentication

Network Device Authentication

Password Filter DLL (1)

Pluggable Authentication Modules

Reversible Encryption

Add-ins

Office Template Macros

Office Test

Outlook Forms

Outlook Home Page

Outlook Rules

Bootkit

Component Firmware

ROMMONkit

System Firmware

TFTP Boot

At

Container Orchestration Job

Cron (2)

Scheduled Task (12)

Systemd Timers

IIS Components

SQL Stored Procedures

Terminal Services DLL

Transport Agent

Web Shell (13)

Port Knocking

Socket Filters

Cloud Accounts (3)

Default Accounts (1)

Domain Accounts (2)

Local Accounts (2)

Privilege Escalation
13 Techniques

Bypass User Account Control (7)

Elevated Execution with Prompt

Setuid and Setgid

Sudo and Sudo Caching

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Token Impersonation/Theft (1)

Active Setup (1)

Authentication Package (1)

Kernel Modules and Extensions (1)

LSASS Driver (4)

Login Items

Port Monitors (1)

Print Processors (1)

Re-opened Applications

Registry Run Keys / Startup Folder (12)

Security Support Provider (1)

Shortcut Modification

Time Providers (2)

Winlogon Helper DLL (2)

XDG Autostart Entries

Login Hook

Logon Script (Windows) (1)

Network Logon Script

RC Scripts

Startup Items (1)

Launch Agent (2)

Launch Daemon (3)

Systemd Service

Windows Service (13)

Domain Trust Modification

Group Policy Modification (1)

Accessibility Features (4)

AppCert DLLs (1)

AppInit DLLs (2)

Application Shimming (2)

Change Default File Association (2)

Component Object Model Hijacking (1)

Emond

Image File Execution Options Injection (1)

Installer Packages

LC_LOAD_DYLIB Addition

Netsh Helper DLL (1)

PowerShell Profile

Screensaver

Trap

Unix Shell Configuration Modification

Windows Management Instrumentation Event Subscription (2)

COR_PROFILER

DLL Search Order Hijacking (2)

DLL Side-Loading (1)

Dylib Hijacking (1)

Dynamic Linker Hijacking (1)

Executable Installer File Permissions Weakness

KernelCallbackTable

Path Interception by PATH Environment Variable (1)

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness (1)

Asynchronous Procedure Call

Dynamic-link Library Injection (3)

Extra Window Memory Injection

ListPlanting

Portable Executable Injection (1)

Proc Memory

Process Doppelgänging

Process Hollowing

Ptrace System Calls

Thread Execution Hijacking

Thread Local Storage

VDSO Hijacking

At

Container Orchestration Job

Cron (2)

Scheduled Task (12)

Systemd Timers

Cloud Accounts (3)

Default Accounts (1)

Domain Accounts (2)

Local Accounts (2)

Defense Evasion
42 Techniques

Bypass User Account Control (7)

Elevated Execution with Prompt

Setuid and Setgid

Sudo and Sudo Caching

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Token Impersonation/Theft (1)

Domain Trust Modification

Group Policy Modification (1)

Environmental Keying

Linux and Mac File and Directory Permissions Modification (2)

Windows File and Directory Permissions Modification

Email Hiding Rules

Hidden File System

Hidden Files and Directories (5)

Hidden Users

Hidden Window (1)

NTFS File Attributes (2)

Process Argument Spoofing

Resource Forking (1)

Run Virtual Instance

VBA Stomping

COR_PROFILER

DLL Search Order Hijacking (2)

DLL Side-Loading (1)

Dylib Hijacking (1)

Dynamic Linker Hijacking (1)

Executable Installer File Permissions Weakness

KernelCallbackTable

Path Interception by PATH Environment Variable (1)

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness (1)

Disable Cloud Logs (4)

Disable Windows Event Logging (2)

Disable or Modify Cloud Firewall (5)

Disable or Modify System Firewall (5)

Disable or Modify Tools (22)

Downgrade Attack

Impair Command History Logging

Indicator Blocking (4)

Safe Mode Boot

Clear Command History

Clear Linux or Mac System Logs

Clear Mailbox Data

Clear Network Connection History and Configurations

Clear Persistence

Clear Windows Event Logs (7)

File Deletion (4)

Network Share Connection Removal

Timestomp

Double File Extension

Invalid Code Signature

Masquerade Task or Service

Match Legitimate Name or Location (1)

Rename System Utilities

Right-to-Left Override

Space after Filename (1)

Domain Controller Authentication

Hybrid Identity

Multi-Factor Authentication

Network Device Authentication

Password Filter DLL (1)

Pluggable Authentication Modules

Reversible Encryption

Create Cloud Instance (8)

Create Snapshot

Delete Cloud Instance (3)

Revert Cloud Instance

Downgrade System Image

Patch System Image

Network Address Translation Traversal

Binary Padding (1)

Compile After Delivery (1)

Dynamic API Resolution

Embedded Payloads

HTML Smuggling

Indicator Removal from Tools (1)

Software Packing (4)

Steganography

Stripped Payloads

Bootkit

Component Firmware

ROMMONkit

System Firmware

TFTP Boot

Asynchronous Procedure Call

Dynamic-link Library Injection (3)

Extra Window Memory Injection

ListPlanting

Portable Executable Injection (1)

Proc Memory

Process Doppelgänging

Process Hollowing

Ptrace System Calls

Thread Execution Hijacking

Thread Local Storage

VDSO Hijacking

Code Signing (1)

Code Signing Policy Modification

Gatekeeper Bypass (2)

Install Root Certificate (5)

Mark-of-the-Web Bypass

SIP and Trust Provider Hijacking

CMSTP

Compiled HTML File (8)

Control Panel

InstallUtil

MMC

Mavinject

Mshta (8)

Msiexec (2)

Odbcconf (1)

Regsvcs/Regasm (1)

Regsvr32 (3)

Rundll32 (13)

Verclsid

PubPrn (1)

Port Knocking

Socket Filters

MSBuild (4)

Application Access Token

Pass the Hash (2)

Pass the Ticket (1)

Web Session Cookie (2)

Cloud Accounts (3)

Default Accounts (1)

Domain Accounts (2)

Local Accounts (2)

System Checks

Time Based Evasion (5)

User Activity Based Checks

Disable Crypto Hardware

Reduce Key Space

Credential Access
17 Techniques

ARP Cache Poisoning

DHCP Spoofing

LLMNR/NBT-NS Poisoning and SMB Relay

Credential Stuffing (1)

Password Cracking

Password Guessing

Password Spraying

Credentials from Web Browsers

Keychain

Password Managers

Securityd Memory

Windows Credential Manager

SAML Tokens

Web Cookies

Credential API Hooking

GUI Input Capture

Keylogging (3)

Web Portal Capture

Domain Controller Authentication

Hybrid Identity

Multi-Factor Authentication

Network Device Authentication

Password Filter DLL (1)

Pluggable Authentication Modules

Reversible Encryption

/etc/passwd and /etc/shadow

Cached Domain Credentials

DCSync

LSA Secrets

LSASS Memory (3)

NTDS (1)

Proc Filesystem (3)

Security Account Manager

AS-REP Roasting

Golden Ticket

Kerberoasting

Silver Ticket

Bash History (1)

Cloud Instance Metadata API

Container API

Credentials In Files (2)

Credentials in Registry

Group Policy Preferences

Private Keys

Discovery
30 Techniques

Cloud Account (7)

Domain Account (1)

Email Account

Local Account (2)

Cloud Groups

Domain Groups (4)

Local Groups

Security Software Discovery (1)

System Language Discovery

Internet Connection Discovery (2)

System Checks

Time Based Evasion (5)

User Activity Based Checks

Lateral Movement
9 Techniques

RDP Hijacking (1)

SSH Hijacking

Distributed Component Object Model

Remote Desktop Protocol (4)

SMB/Windows Admin Shares (19)

SSH

VNC

Windows Remote Management

Application Access Token

Pass the Hash (2)

Pass the Ticket (1)

Web Session Cookie (2)

Collection
17 Techniques

ARP Cache Poisoning

DHCP Spoofing

LLMNR/NBT-NS Poisoning and SMB Relay

Archive via Custom Method (4)

Archive via Library

Archive via Utility (4)

Local Data Staging

Remote Data Staging

Network Device Configuration Dump

SNMP (MIB Dump)

Code Repositories

Confluence

Sharepoint

Email Forwarding Rule

Local Email Collection

Remote Email Collection

Credential API Hooking

GUI Input Capture

Keylogging (3)

Web Portal Capture

Command and Control
16 Techniques

DNS (9)

File Transfer Protocols

Mail Protocols

Web Protocols (13)

Non-Standard Encoding (2)

Standard Encoding (9)

Junk Data (2)

Protocol Impersonation

Steganography (1)

DNS Calculation

Domain Generation Algorithms

Fast Flux DNS (3)

Asymmetric Cryptography (3)

Symmetric Cryptography (6)

Domain Fronting

External Proxy

Internal Proxy (1)

Multi-hop Proxy (1)

Port Knocking

Socket Filters

Bidirectional Communication

Dead Drop Resolver (2)

One-Way Communication

Exfiltration
9 Techniques

Traffic Duplication

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol (4)

Exfiltration Over Unencrypted Non-C2 Protocol (4)

Exfiltration Over Bluetooth

Exfiltration over USB

Exfiltration to Cloud Storage

Exfiltration to Code Repository

Impact
13 Techniques

Runtime Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

External Defacement

Internal Defacement

Disk Content Wipe

Disk Structure Wipe (1)

Application Exhaustion Flood

Application or System Exploitation

OS Exhaustion Flood

Service Exhaustion Flood

Direct Network Flood (2)

Reflection Amplification