The MITRE ATT&CK Framework is a comprehensive, globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It empowers cybersecurity professionals by providing a common language for describing attacks, guiding threat detection, and enhancing defense strategies. Scripts can also be found here to check for specific techniques used.
This section covers the initial phase of cyber operations—reconnaissance. Here, attackers gather information and identify vulnerabilities before launching an attack.
This script can be used to display the majority of commonly used reconnaissance techniques. For specific techniques see below.
// Reconnaissance script placeholder
function reconnaissanceScript() {
// Implement reconnaissance techniques here
console.log("Reconnaissance in progress...");
}
Active Scanning (T1595) is when attackers actively probe networks by sending data to find live systems, open ports, and services. It’s like knocking on doors to see who answers, revealing potential targets.
Scanning IP Blocks (T1595.001) is when attackers scan entire ranges of IP addresses to identify active devices or systems. It’s like checking every house on a street to see which ones have lights on.
To detect IP block scanning (T1595.001), monitor for multiple connection attempts from a single IP across a wide IP range or many ports in a short timeframe. Use IDS tools to flag SYN or ICMP scans. Analyze firewall logs for repeated denied connections to inactive hosts. SIEM systems can correlate these patterns and trigger alerts. Deploy honeypots to detect and log unsolicited probes, indicating active reconnaissance behavior.
To defend against IP block scanning (T1595.001), networks can be configured with firewalls that block or limit unexpected connection attempts. These firewalls act like gatekeepers, only allowing certain types of traffic through. Systems called Intrusion Detection or Prevention Systems (IDS/IPS) can watch for patterns that look like scanning and automatically respond by blocking the source. Network segmentation can also be used—this means splitting the network into smaller sections so that even if one part is scanned or found, the rest stays hidden. Some organizations use “honeypots,” which are fake systems that seem real to attackers, to catch and study scanning activity without exposing real systems. Keeping systems updated and reviewing network logs regularly also helps spot unusual behavior early and reduce the risk of attack.
Scanning IP Blocks (T1595.001) is a reconnaissance technique where an individual or automated tool sends specific network packets to a range of IP addresses to identify active devices and the services they’re running. For instance, an attacker might use a tool like Nmap to perform a TCP SYN scan across an IP range (e.g., 192.168.1.0/24). This scan sends initiation packets to each IP in the block and listens for reply packets that indicate open ports. Alternatively, masscan can be used to rapidly scan extensive IP blocks to reveal services and vulnerabilities by detecting responses from the target devices. The collected data helps in mapping the network, similar to how a surveyor might inspect every house in a neighborhood to see which ones are occupied and what features they exhibit.
No Script To Detect
Vulnerability Scanning (T1595.002) involves using automated tools like Nessus or OpenVAS to scan systems for known weaknesses such as outdated software, default configurations, or exposed services. These scans compare findings against databases of known vulnerabilities (like CVEs). An attacker might use this technique to identify exploitable flaws in internet-facing systems, helping them choose targets more likely to be vulnerable. It’s like digitally probing for weak spots before launching an attack.
Vulnerability scanning can be detected by monitoring for unusual patterns of traffic, such as repeated detailed requests to specific ports or services. Intrusion Detection Systems (IDS) like Suricata can flag known scanner signatures or unusual payloads. Security logs may show repeated probes against different services or paths. SIEM tools can correlate these events, triggering alerts if one device requests detailed system info or touches multiple endpoints in a short period, typical of scanning behavior.
To defend against vulnerability scanning (T1595.002), keep all systems and applications updated to patch known flaws. Use firewalls to block unnecessary ports and restrict access to exposed services. Implement Web Application Firewalls (WAFs) to detect and block scanning behavior. Deploy intrusion detection systems (IDS) to monitor unusual activity. Limiting public-facing services and using honeypots can also help detect and mislead scanners.
An attacker runs a tool like Nessus or OpenVAS against a company’s public IP address to scan for known vulnerabilities. The tool checks for outdated software versions, open ports, and misconfigured services—such as an old Apache server with a critical CVE. If a match is found, the scan reports the weakness, allowing the attacker to plan an exploit or choose the easiest target for compromise.
No Script To Detect
Wordlist Scanning (T1595.003) is when an attacker uses a predefined list of common filenames, URLs, or directories to find hidden content on a website or server. Tools like DirBuster or Gobuster send thousands of requests using words from the list (e.g., "admin", "backup", "login") to guess valid paths. This helps attackers discover unprotected or forgotten resources that could be exploited.
Wordlist scanning can be detected by monitoring web server logs for a high number of 404 (Not Found) responses from a single IP. Intrusion Detection Systems (IDS) or Web Application Firewalls (WAFs) can flag repeated requests for common admin paths or known wordlist entries. Unusual spikes in URL requests or rapid access attempts to non-linked directories are also strong indicators of wordlist scanning activity.
To defend against wordlist scanning, restrict access to sensitive directories using authentication and permissions. Use a Web Application Firewall (WAF) to detect and block rapid, repeated URL requests. Hide internal or admin paths by avoiding predictable names. Enable rate-limiting to slow down automated scans. Monitor logs for patterns of repeated failed requests, and use security tools to alert or block IPs showing scanning behavior.
An attacker uses a tool like Gobuster to scan a website with a wordlist containing common paths like /admin, /login, /backup, and /test. The tool sends hundreds of requests per second, looking for valid pages not linked on the site. If the server responds with a 200 OK instead of a 404, the attacker knows the resource exists and may try to access or exploit it.
No Script To Detect
This phase involves collecting detailed information about the victim's host including its hardware, software, firmware, and client configurations.
Hardware - T1592.001 gathers detailed physical device data such as system models, serial numbers, manufacturer info, and peripherals. Technically, attackers use these specifics to assess hardware vulnerabilities, while simply profiling the device for possible exploitation opportunities.
Detection methods for Hardware - T1592.001 include monitoring for abnormal system queries targeting device information. Tools like endpoint detection and response (EDR) monitor system calls, API usage, and script execution that gathers hardware details. Administrators can review audit logs for irregular inventory scans, use behavioral analytics to detect unauthorized hardware enumeration, and deploy network monitoring to flag anomalous communication patterns indicative of data collection activities.
To combat Hardware - T1592.001, enforce the principle of least privilege, ensuring only trusted users and processes can access hardware details. Implement application whitelisting to block unauthorized tools that query system information. Use virtualization or containerization to abstract hardware from applications, reducing data exposure. Disable unnecessary system interfaces that reveal hardware info, and regularly patch firmware and device drivers to close known vulnerabilities.
Examples of T1592.001 include APT10 collecting server hardware details from managed service providers to tailor attacks. FIN7 used scripts to gather system model and manufacturer information to identify valuable targets. Malware authors may extract hardware data to avoid running in virtual machines or sandboxes. Security testers also use tools like wmic or dmidecode to simulate hardware reconnaissance during assessments.
No Script To Detect
T1592.002 - Software involves identifying the software installed on a target system, including operating systems, applications, versions, and configurations. Technically, attackers use this information to discover vulnerabilities, outdated software, or misconfigurations they can exploit. This reconnaissance can be done through scripts, system commands, or scanning tools. Simply put, attackers are figuring out what programs are running so they can find weak spots to break into the system or move further inside a network.
Detection methods for T1592.002 include monitoring command-line activity and process execution for tools commonly used to list software, such as wmic, powershell, dpkg, or rpm. Use endpoint detection and response (EDR) solutions to flag unusual queries for software inventory. Analyze system logs for signs of enumeration scripts or automated scans. Behavioral analytics can also help detect patterns indicating reconnaissance, such as frequent access to registry keys or system directories listing installed applications.
To combat T1592.002 - Software, enforce strict access controls to limit who can query or view installed software. Regularly patch and update all systems to reduce exploitable vulnerabilities. Use application allowlisting to prevent unauthorized software execution. Monitor systems with endpoint detection and response (EDR) tools for unusual software inventory activity. Disable or restrict system utilities (e.g., PowerShell, WMIC) where possible, and implement logging to track software enumeration attempts for early threat detection.
Examples of T1592.002 include threat groups like APT29 using PowerShell scripts to list installed software and identify outdated applications for exploitation. Malware may also gather software details to determine if it's running in a sandbox or virtual machine. During red team assessments, tools like wmic product get name or dpkg -l are commonly used to enumerate software and find exploitable versions or misconfigurations on target systems.
No Script To Detect
T1592.003 - Firmware involves gathering information about firmware versions on devices like BIOS, UEFI, or embedded controllers. Technically, this helps identify low-level vulnerabilities. Simply, attackers check device software to find hidden ways to break in.
Detection methods for T1592.003 include monitoring for low-level system commands or tools accessing firmware data, such as dmidecode, BIOS configuration utilities, or UEFI queries. Endpoint detection and response (EDR) tools can flag unusual activity related to firmware inspection. Log analysis may reveal unauthorized access to system firmware settings. Additionally, behavioral analytics can help detect patterns consistent with firmware reconnaissance, especially if combined with other system profiling activity.
To combat T1592.003 - Firmware, regularly update device firmware using official vendor sources to patch vulnerabilities. Enable Secure Boot to ensure only trusted firmware loads during startup. Limit low-level system access to privileged users and monitor logs for unusual access attempts. Use endpoint detection tools to detect firmware enumeration, and disable unused hardware interfaces to reduce attack surfaces that expose firmware details to potential adversaries.
Examples of T1592.003 include attackers using tools like dmidecode or fwupd to extract BIOS or UEFI firmware details during reconnaissance. Some advanced persistent threat (APT) groups collect firmware version data to identify outdated or vulnerable firmware. Malware may also inspect firmware to detect virtual environments or bypass security tools. In red team operations, firmware profiling helps identify potential low-level exploits or persistence mechanisms attackers could abuse.
No Script To Detect
T1592.004 - Client Configurations is about an attacker learning how a user’s computer or device is set up. They look at settings like antivirus, firewalls, or group policies. Technically, this helps them find weak points to exploit. Simply put, it's like checking how well a device is protected before deciding how to attack it.
To detect T1592.004 - Client Configurations, monitor for unusual access to system settings, group policies, or security configurations. Use endpoint detection and response (EDR) tools to flag suspicious scripts or commands that query configuration data, such as PowerShell or registry access. Analyze event logs for repeated or unauthorized attempts to read system settings. Behavioral analytics can help identify patterns consistent with reconnaissance of client-side defenses or policy settings.
To combat T1592.004 – Client Configurations, enforce the principle of least privilege to restrict access to configuration settings. Limit or monitor the use of tools like PowerShell and registry editors. Apply application allowlisting to block unauthorized programs or scripts. Regularly audit and baseline client configurations to detect changes. Disabling unnecessary services and using hardened system templates also helps reduce exposure to configuration-based reconnaissance or exploitation.
Examples of T1592.004 include attackers using PowerShell scripts to query Windows Defender status or firewall rules to assess endpoint defenses. Red teamers often inspect registry keys and Group Policy settings to identify security gaps or misconfigurations. Malware may check if antivirus is active or if User Account Control (UAC) is enabled before proceeding. Such configuration checks help attackers tailor their techniques for bypassing or disabling protections.
No Script To Detect
This phase focuses on collecting identity-related details such as credentials, email addresses, and employee names to build a profile of the target.
Description for harvesting user credentials and login details.
// Code block for Credentials harvesting
console.log("Gathering Credentials snippet");
Description for extracting email addresses from public sources and breaches.
// Code block for Email Addresses extraction
console.log("Gathering Email Addresses snippet");
Description for identifying and gathering employee names from social media and company directories.
// Code block for Employee Names retrieval
console.log("Gathering Employee Names snippet");
Collect network-related details such as IP addresses, Active Directory mappings, and network device inventories.
Identify and enumerate domain-related properties of the victim network.
// Code snippet for Domain Properties discovery
console.log("Domain Properties snippet");
Map and enumerate the victim’s DNS records and Active Directory mappings.
// Code snippet for DNS mapping
console.log("DNS mapping snippet");
Enumerate trust relationships and dependencies within the victim network.
// Code snippet for Network Trust Dependencies
console.log("Network Trust Dependencies snippet");
Visualize and analyze the layout of the victim's network devices and connections.
// Code snippet for Network Topology mapping
console.log("Network Topology snippet");
Enumerate IP addresses assigned to the victim network.
// Code snippet for IP Addresses enumeration
console.log("IP Addresses snippet");
Identify and enumerate firewalls, IDS/IPS, and other security appliances protecting the victim network.
// Code snippet for Network Security Appliances discovery
console.log("Network Security Appliances snippet");
Collecting organization details such as name, location, size, and type.
Retrieve the official name and known aliases of the organization.
// Code snippet for retrieving organization name
console.log("Gathering Organization Name snippet");
Determine the headquarters and branch locations.
// Code snippet for retrieving organization location
console.log("Gathering Organization Location snippet");
Identify the number of employees and revenue scale.
// Code snippet for retrieving organization size
console.log("Gathering Organization Size snippet");
Classify the organization (public, private, government, etc.).
// Code snippet for retrieving organization type
console.log("Gathering Organization Type snippet");
Techniques targeting users to extract sensitive data via deceptive communications.
Targeted phishing to specific individuals within the organization.
// Code snippet for spear phishing technique
console.log("Spear Phishing snippet");
Phishing targeting high-level executives.
// Code snippet for whaling technique
console.log("Whaling snippet");
Duplicate legitimate emails with malicious modifications.
// Code snippet for clone phishing technique
console.log("Clone Phishing snippet");
Voice phishing to trick users into divulging information.
// Code snippet for vishing technique
console.log("Vishing snippet");
Accessing non-public databases and internal document repositories.
Query internal or subscription-based databases.
// Code snippet for querying a private database
console.log("Private Database query snippet");
Search through company archives and secured documents.
// Code snippet for accessing internal repositories
console.log("Internal Repositories query snippet");
Query open-source technical databases for publicly available network and vulnerability data.
Search the Shodan database for exposed devices and services.
// Code snippet for querying Shodan
console.log("Shodan query snippet");
Utilize Censys for detailed internet-wide scanning information.
// Code snippet for querying Censys
console.log("Censys query snippet");
Leverage ZoomEye to find network devices and vulnerabilities.
// Code snippet for querying ZoomEye
console.log("ZoomEye query snippet");
Access BinaryEdge data for insights into exposed infrastructure.
// Code snippet for querying BinaryEdge
console.log("BinaryEdge query snippet");
Gather threat intelligence from RiskIQ's open data sources.
// Code snippet for querying RiskIQ
console.log("RiskIQ query snippet");
Look up public website data, domain history, and subdomain information.
Perform WHOIS lookups for registration details.
// Code snippet for WHOIS lookup
console.log("WHOIS lookup snippet");
Retrieve historical data and changes for a domain.
// Code snippet for domain history lookup
console.log("Domain History snippet");
List and analyze subdomains for the target.
// Code snippet for subdomain enumeration
console.log("Subdomain Enumeration snippet");
Direct search of websites owned and managed by the victim organization.
// Code snippet for searching victim-owned websites
console.log("Victim-Owned Websites search snippet");
This section covers the phases of resource development, outlining the methods attackers use to prepare and build their resources.
This script can be used to display the majority of commonly used resource development techniques. For specific techniques see below.
// Resource Development script placeholder
function resourceDevelopmentScript() {
// Implement resource development techniques here
console.log("Resource development in progress...");
}
Description for Acquire Access.
// Code snippet for Acquire Access
console.log("Acquire Access snippet");
Description for Acquire Infrastructure.
Description for sub-item 1.
// Code snippet for Sub-item 1
console.log("Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Sub-item 2
console.log("Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Sub-item 3
console.log("Sub-item 3 snippet");
Description for sub-item 4.
// Code snippet for Sub-item 4
console.log("Sub-item 4 snippet");
Description for sub-item 5.
// Code snippet for Sub-item 5
console.log("Sub-item 5 snippet");
Description for sub-item 6.
// Code snippet for Sub-item 6
console.log("Sub-item 6 snippet");
Description for sub-item 7.
// Code snippet for Sub-item 7
console.log("Sub-item 7 snippet");
Description for sub-item 8.
// Code snippet for Sub-item 8
console.log("Sub-item 8 snippet");
Description for Compromise Accounts.
Description for sub-item 1.
// Code snippet for Compromise Accounts Sub-item 1
console.log("Compromise Accounts Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Compromise Accounts Sub-item 2
console.log("Compromise Accounts Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Compromise Accounts Sub-item 3
console.log("Compromise Accounts Sub-item 3 snippet");
Description for Compromised Infrastructure.
Description for sub-item 1.
// Code snippet for Compromised Infrastructure Sub-item 1
console.log("Compromised Infrastructure Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Compromised Infrastructure Sub-item 2
console.log("Compromised Infrastructure Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Compromised Infrastructure Sub-item 3
console.log("Compromised Infrastructure Sub-item 3 snippet");
Description for sub-item 4.
// Code snippet for Compromised Infrastructure Sub-item 4
console.log("Compromised Infrastructure Sub-item 4 snippet");
Description for sub-item 5.
// Code snippet for Compromised Infrastructure Sub-item 5
console.log("Compromised Infrastructure Sub-item 5 snippet");
Description for sub-item 6.
// Code snippet for Compromised Infrastructure Sub-item 6
console.log("Compromised Infrastructure Sub-item 6 snippet");
Description for sub-item 7.
// Code snippet for Compromised Infrastructure Sub-item 7
console.log("Compromised Infrastructure Sub-item 7 snippet");
Description for sub-item 8.
// Code snippet for Compromised Infrastructure Sub-item 8
console.log("Compromised Infrastructure Sub-item 8 snippet");
Description for Develop Capabilities.
Description for sub-item 1.
// Code snippet for Develop Capabilities Sub-item 1
console.log("Develop Capabilities Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Develop Capabilities Sub-item 2
console.log("Develop Capabilities Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Develop Capabilities Sub-item 3
console.log("Develop Capabilities Sub-item 3 snippet");
Description for sub-item 4.
// Code snippet for Develop Capabilities Sub-item 4
console.log("Develop Capabilities Sub-item 4 snippet");
Description for Establish Accounts.
Description for sub-item 1.
// Code snippet for Establish Accounts Sub-item 1
console.log("Establish Accounts Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Establish Accounts Sub-item 2
console.log("Establish Accounts Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Establish Accounts Sub-item 3
console.log("Establish Accounts Sub-item 3 snippet");
Description for Obtain Capabilities.
Description for sub-item 1.
// Code snippet for Obtain Capabilities Sub-item 1
console.log("Obtain Capabilities Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Obtain Capabilities Sub-item 2
console.log("Obtain Capabilities Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Obtain Capabilities Sub-item 3
console.log("Obtain Capabilities Sub-item 3 snippet");
Description for sub-item 4.
// Code snippet for Obtain Capabilities Sub-item 4
console.log("Obtain Capabilities Sub-item 4 snippet");
Description for sub-item 5.
// Code snippet for Obtain Capabilities Sub-item 5
console.log("Obtain Capabilities Sub-item 5 snippet");
Description for sub-item 6.
// Code snippet for Obtain Capabilities Sub-item 6
console.log("Obtain Capabilities Sub-item 6 snippet");
Description for sub-item 7.
// Code snippet for Obtain Capabilities Sub-item 7
console.log("Obtain Capabilities Sub-item 7 snippet");
Description for Stage Capabilities.
Description for sub-item 1.
// Code snippet for Stage Capabilities Sub-item 1
console.log("Stage Capabilities Sub-item 1 snippet");
Description for sub-item 2.
// Code snippet for Stage Capabilities Sub-item 2
console.log("Stage Capabilities Sub-item 2 snippet");
Description for sub-item 3.
// Code snippet for Stage Capabilities Sub-item 3
console.log("Stage Capabilities Sub-item 3 snippet");
Description for sub-item 4.
// Code snippet for Stage Capabilities Sub-item 4
console.log("Stage Capabilities Sub-item 4 snippet");
Description for sub-item 5.
// Code snippet for Stage Capabilities Sub-item 5
console.log("Stage Capabilities Sub-item 5 snippet");
Description for sub-item 6.
// Code snippet for Stage Capabilities Sub-item 6
console.log("Stage Capabilities Sub-item 6 snippet");
This section covers the initial entry techniques used by attackers to gain access to target systems.
Description for Content Injection.
Description for Drive-by Compromise.
Description for Exploit Public-Facing Application.
Description for External Remote Service.
Description for Hardware Additions.
Description for Phishing techniques.
Description for Spearphishing Service.
// Code snippet for Spearphishing Service
console.log("Spearphishing Service snippet");
Description for Spearphishing Attachment.
// Code snippet for Spearphishing Attachment
console.log("Spearphishing Attachment snippet");
Description for Spearphishing Link.
// Code snippet for Spearphishing Link
console.log("Spearphishing Link snippet");
Description for Spearphishing Voice.
// Code snippet for Spearphishing Voice
console.log("Spearphishing Voice snippet");
Description for Replication Through Removable Media.
Description for Supply Chain Compromise.
Description for Third-Party Software compromise.
// Code snippet for Third-Party Software
console.log("Third-Party Software snippet");
Description for Third-Party Hardware compromise.
// Code snippet for Third-Party Hardware
console.log("Third-Party Hardware snippet");
Description for Third-Party Services compromise.
// Code snippet for Third-Party Services
console.log("Third-Party Services snippet");
Description for Trusted Relationship.
Description for Valid Accounts.
Description for Local Accounts.
// Code snippet for Local Accounts
console.log("Local Accounts snippet");
Description for Domain Accounts.
// Code snippet for Domain Accounts
console.log("Domain Accounts snippet");
Description for Cloud Accounts.
// Code snippet for Cloud Accounts
console.log("Cloud Accounts snippet");
Description for Default Accounts.
// Code snippet for Default Accounts
console.log("Default Accounts snippet");
This section covers the execution phase of cyber operations, detailing techniques attackers use to run commands and scripts on target systems.
Description for Cloud Administration Command.
// Code snippet for Cloud Administration Command
console.log("Cloud Administration Command snippet");
Description for Command and Scripting Interpreter.
Description for subtechnique 1.
// Code snippet for subtechnique 1 of Command and Scripting Interpreter
console.log("Command and Scripting Interpreter subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for subtechnique 2
console.log("Command and Scripting Interpreter subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for subtechnique 3
console.log("Command and Scripting Interpreter subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for subtechnique 4
console.log("Command and Scripting Interpreter subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for subtechnique 5
console.log("Command and Scripting Interpreter subtechnique 5 snippet");
Description for subtechnique 6.
// Code snippet for subtechnique 6
console.log("Command and Scripting Interpreter subtechnique 6 snippet");
Description for subtechnique 7.
// Code snippet for subtechnique 7
console.log("Command and Scripting Interpreter subtechnique 7 snippet");
Description for subtechnique 8.
// Code snippet for subtechnique 8
console.log("Command and Scripting Interpreter subtechnique 8 snippet");
Description for subtechnique 9.
// Code snippet for subtechnique 9
console.log("Command and Scripting Interpreter subtechnique 9 snippet");
Description for subtechnique 10.
// Code snippet for subtechnique 10
console.log("Command and Scripting Interpreter subtechnique 10 snippet");
Description for subtechnique 11.
// Code snippet for subtechnique 11
console.log("Command and Scripting Interpreter subtechnique 11 snippet");
Description for Container Administration Command.
// Code snippet for Container Administration Command
console.log("Container Administration Command snippet");
Description for Deploy Container.
// Code snippet for Deploy Container
console.log("Deploy Container snippet");
Description for Exploitation for Client Execution.
// Code snippet for Exploitation for Client Execution
console.log("Exploitation for Client Execution snippet");
Description for Inter-Process Communications.
Description for subtechnique 1.
// Code snippet for IPC subtechnique 1
console.log("Inter-Process Communications subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for IPC subtechnique 2
console.log("Inter-Process Communications subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for IPC subtechnique 3
console.log("Inter-Process Communications subtechnique 3 snippet");
Description for Native API.
// Code snippet for Native API
console.log("Native API snippet");
Description for Scheduled Task/Job.
Description for subtechnique 1.
// Code snippet for Scheduled Task/Job subtechnique 1
console.log("Scheduled Task/Job subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Scheduled Task/Job subtechnique 2
console.log("Scheduled Task/Job subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Scheduled Task/Job subtechnique 3
console.log("Scheduled Task/Job subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Scheduled Task/Job subtechnique 4
console.log("Scheduled Task/Job subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Scheduled Task/Job subtechnique 5
console.log("Scheduled Task/Job subtechnique 5 snippet");
Description for Serverless Execution.
// Code snippet for Serverless Execution
console.log("Serverless Execution snippet");
Description for Shared Modules.
// Code snippet for Shared Modules
console.log("Shared Modules snippet");
Description for Software Deployment Tools.
// Code snippet for Software Deployment Tools
console.log("Software Deployment Tools snippet");
Description for System Services.
Description for subtechnique 1.
// Code snippet for System Services subtechnique 1
console.log("System Services subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for System Services subtechnique 2
console.log("System Services subtechnique 2 snippet");
Description for User Execution.
Description for subtechnique 1.
// Code snippet for User Execution subtechnique 1
console.log("User Execution subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for User Execution subtechnique 2
console.log("User Execution subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for User Execution subtechnique 3
console.log("User Execution subtechnique 3 snippet");
Description for Windows Management Instrumentation.
// Code snippet for Windows Management Instrumentation
console.log("Windows Management Instrumentation snippet");
This section covers persistence techniques that adversaries use to maintain long-term access to compromised systems.
Description for Account Manipulation.
Description for subtechnique 1.
// Code snippet for Account Manipulation subtechnique 1
console.log("Account Manipulation subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Account Manipulation subtechnique 2
console.log("Account Manipulation subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Account Manipulation subtechnique 3
console.log("Account Manipulation subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Account Manipulation subtechnique 4
console.log("Account Manipulation subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Account Manipulation subtechnique 5
console.log("Account Manipulation subtechnique 5 snippet");
Description for subtechnique 6.
// Code snippet for Account Manipulation subtechnique 6
console.log("Account Manipulation subtechnique 6 snippet");
Description for subtechnique 7.
// Code snippet for Account Manipulation subtechnique 7
console.log("Account Manipulation subtechnique 7 snippet");
Description for BITS Jobs.
// Code snippet for BITS Jobs
console.log("BITS Jobs snippet");
Description for Boot or Logon Autostart Execution.
Description for subtechnique 1.
// Code snippet for Boot or Logon Autostart Execution subtechnique 1
console.log("Boot or Logon Autostart Execution subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Autostart Execution subtechnique 2
console.log("Boot or Logon Autostart Execution subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Boot or Logon Autostart Execution subtechnique 3
console.log("Boot or Logon Autostart Execution subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Boot or Logon Autostart Execution subtechnique 4
console.log("Boot or Logon Autostart Execution subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Autostart Execution subtechnique 5
console.log("Boot or Logon Autostart Execution subtechnique 5 snippet");
Description for subtechnique 6.
// Code snippet for Boot or Logon Autostart Execution subtechnique 6
console.log("Boot or Logon Autostart Execution subtechnique 6 snippet");
Description for subtechnique 7.
// Code snippet for Boot or Logon Autostart Execution subtechnique 7
console.log("Boot or Logon Autostart Execution subtechnique 7 snippet");
Description for subtechnique 8.
// Code snippet for Boot or Logon Autostart Execution subtechnique 8
console.log("Boot or Logon Autostart Execution subtechnique 8 snippet");
Description for subtechnique 9.
// Code snippet for Boot or Logon Autostart Execution subtechnique 9
console.log("Boot or Logon Autostart Execution subtechnique 9 snippet");
Description for subtechnique 10.
// Code snippet for Boot or Logon Autostart Execution subtechnique 10
console.log("Boot or Logon Autostart Execution subtechnique 10 snippet");
Description for subtechnique 11.
// Code snippet for Boot or Logon Autostart Execution subtechnique 11
console.log("Boot or Logon Autostart Execution subtechnique 11 snippet");
Description for subtechnique 12.
// Code snippet for Boot or Logon Autostart Execution subtechnique 12
console.log("Boot or Logon Autostart Execution subtechnique 12 snippet");
Description for subtechnique 13.
// Code snippet for Boot or Logon Autostart Execution subtechnique 13
console.log("Boot or Logon Autostart Execution subtechnique 13 snippet");
Description for subtechnique 14.
// Code snippet for Boot or Logon Autostart Execution subtechnique 14
console.log("Boot or Logon Autostart Execution subtechnique 14 snippet");
Description for Boot or Logon Initialization Scripts.
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 3
console.log("Boot or Logon Initialization Scripts subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 4
console.log("Boot or Logon Initialization Scripts subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for Browser Extensions.
// Code snippet for Browser Extensions
console.log("Browser Extensions snippet");
Description for Compromise Host Software Binary.
// Code snippet for Compromise Host Software Binary
console.log("Compromise Host Software Binary snippet");
Description for Create Account.
Description for subtechnique 1.
// Code snippet for Create Account subtechnique 1
console.log("Create Account subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Create Account subtechnique 2
console.log("Create Account subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Create Account subtechnique 3
console.log("Create Account subtechnique 3 snippet");
Description for Create or Modify System Process.
Description for subtechnique 1.
// Code snippet for Create or Modify System Process subtechnique 1
console.log("Create or Modify System Process subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Create or Modify System Process subtechnique 2
console.log("Create or Modify System Process subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Create or Modify System Process subtechnique 3
console.log("Create or Modify System Process subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Create or Modify System Process subtechnique 4
console.log("Create or Modify System Process subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Create or Modify System Process subtechnique 5
console.log("Create or Modify System Process subtechnique 5 snippet");
Description for Event Triggered Execution.
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Event Triggered Execution subtechnique 2
console.log("Event Triggered Execution subtechnique 2 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for External Remote Services.
// Code snippet for External Remote Services
console.log("External Remote Services snippet");
Description for Hijack Execution Flow.
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for Implant Internal Image.
// Code snippet for Implant Internal Image
console.log("Implant Internal Image snippet");
Description for Modify Authentication Process.
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for Office Application Startup.
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Office Application Startup subtechnique 1
console.log("Office Application Startup subtechnique 1 snippet");
Description for Power Settings.
// Code snippet for Power Settings
console.log("Power Settings snippet");
Description for Pre-OS Boot.
Description for subtechnique 1.
// Code snippet for Pre-OS Boot subtechnique 1
console.log("Pre-OS Boot subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Pre-OS Boot subtechnique 1
console.log("Pre-OS Boot subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Pre-OS Boot subtechnique 1
console.log("Pre-OS Boot subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Pre-OS Boot subtechnique 1
console.log("Pre-OS Boot subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Pre-OS Boot subtechnique 1
console.log("Pre-OS Boot subtechnique 1 snippet");
Description for Scheduled Tasks/Jobs.
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for Server Software Component.
Description for subtechnique 1.
// Code snippet for Server Software Component subtechnique 1
console.log("Server Software Component subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Server Software Component subtechnique 1
console.log("Server Software Component subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Server Software Component subtechnique 1
console.log("Server Software Component subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Server Software Component subtechnique 1
console.log("Server Software Component subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Server Software Component subtechnique 1
console.log("Server Software Component subtechnique 1 snippet");
Description for Traffic Signaling.
Description for subtechnique 1.
// Code snippet for Traffic Signaling subtechnique 1
console.log("Traffic Signaling subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Traffic Signaling subtechnique 2
console.log("Traffic Signaling subtechnique 2 snippet");
Description for Valid Accounts.
Description for subtechnique 1.
// Code snippet for Valid Accounts subtechnique 1
console.log("Valid Accounts subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Valid Accounts subtechnique 2
console.log("Valid Accounts subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Valid Accounts subtechnique 3
console.log("Valid Accounts subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Valid Accounts subtechnique 4
console.log("Valid Accounts subtechnique 4 snippet");
This section covers persistence techniques that adversaries use to maintain long-term access to compromised systems.
Description for Account Manipulation.
Description for subtechnique 1.
// Code snippet for Account Manipulation subtechnique 1
console.log("Account Manipulation subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Account Manipulation subtechnique 2
console.log("Account Manipulation subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Account Manipulation subtechnique 3
console.log("Account Manipulation subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Account Manipulation subtechnique 4
console.log("Account Manipulation subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Account Manipulation subtechnique 5
console.log("Account Manipulation subtechnique 5 snippet");
Description for Access Token Manipulation.
Description for subtechnique 1.
// Code snippet for subtechnique 1
console.log("Token Impersonation/Theft snippet");
Description for subtechnique 2.
// Code snippet for subtechnique 2
console.log("Create Process With Token snippet");
Description for subtechnique 3.
// Code snippet for subtechnique 3
console.log("Make and Impersonate Token snippet");
Description for subtechnique 4.
// Code snippet for subtechnique 4
console.log("Parent PID Spoofing snippet");
Description for subtechnique 5.
// Code snippet for subtechnique 5
console.log("SID-History Injection snippet");
Description for Boot or Logon Autostart Execution.
Description for subtechnique 1.
// Code snippet for Boot or Logon Autostart Execution subtechnique 1
console.log("Boot or Logon Autostart Execution subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Autostart Execution subtechnique 2
console.log("Boot or Logon Autostart Execution subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Boot or Logon Autostart Execution subtechnique 3
console.log("Boot or Logon Autostart Execution subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Boot or Logon Autostart Execution subtechnique 4
console.log("Boot or Logon Autostart Execution subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Autostart Execution subtechnique 5
console.log("Boot or Logon Autostart Execution subtechnique 5 snippet");
Description for subtechnique 6.
// Code snippet for Boot or Logon Autostart Execution subtechnique 6
console.log("Boot or Logon Autostart Execution subtechnique 6 snippet");
Description for subtechnique 7.
// Code snippet for Boot or Logon Autostart Execution subtechnique 7
console.log("Boot or Logon Autostart Execution subtechnique 7 snippet");
Description for Boot or Logon Initialization Scripts.
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 3
console.log("Boot or Logon Initialization Scripts subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 4
console.log("Boot or Logon Initialization Scripts subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for subtechnique 5.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 5
console.log("Boot or Logon Initialization Scripts subtechnique 5 snippet");
Description for Boot or Logon Initialization Scripts.
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for subtechnique 2.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 2
console.log("Boot or Logon Initialization Scripts subtechnique 2 snippet");
Description for Boot or Logon Initialization Scripts.
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Boot or Logon Initialization Scripts subtechnique 1
console.log("Boot or Logon Initialization Scripts subtechnique 1 snippet");
Description for Create Account.
Description for subtechnique 1.
// Code snippet for Create Account subtechnique 1
console.log("Create Account subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Create Account subtechnique 2
console.log("Create Account subtechnique 2 snippet");
Description for Power Settings.
// Code snippet for Power Settings
console.log("Power Settings snippet");
Description for Event Triggered Execution.
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Event Triggered Execution subtechnique 2
console.log("Event Triggered Execution subtechnique 2 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Event Triggered Execution subtechnique 1
console.log("Event Triggered Execution subtechnique 1 snippet");
Description for External Remote Services.
// Code snippet for External Remote Services
console.log("External Remote Services snippet");
Description for Hijack Execution Flow.
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Hijack Execution Flow subtechnique 1
console.log("Hijack Execution Flow subtechnique 1 snippet");
Description for Modify Authentication Process.
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Modify Authentication Process subtechnique 1
console.log("Modify Authentication Process subtechnique 1 snippet");
Description for Scheduled Tasks/Jobs.
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for subtechnique 1.
// Code snippet for Scheduled Tasks/Jobs subtechnique 1
console.log("Scheduled Tasks/Jobs subtechnique 1 snippet");
Description for Valid Accounts.
Description for subtechnique 1.
// Code snippet for Valid Accounts subtechnique 1
console.log("Valid Accounts subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Valid Accounts subtechnique 2
console.log("Valid Accounts subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Valid Accounts subtechnique 3
console.log("Valid Accounts subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Valid Accounts subtechnique 4
console.log("Valid Accounts subtechnique 4 snippet");
This section covers the phases of resource development, outlining the methods attackers use to prepare and build their resources.
This script can be used to display the majority of commonly used resource development techniques. For specific techniques see below.
// Resource Development script placeholder
function resourceDevelopmentScript() {
// Implement resource development techniques here
console.log("Resource development in progress...");
}
Description for Account Manipulation.
Description for subtechnique 1.
// Code snippet for Account Manipulation subtechnique 1
console.log("Account Manipulation subtechnique 1 snippet");
Description for subtechnique 2.
// Code snippet for Account Manipulation subtechnique 2
console.log("Account Manipulation subtechnique 2 snippet");
Description for subtechnique 3.
// Code snippet for Account Manipulation subtechnique 3
console.log("Account Manipulation subtechnique 3 snippet");
Description for subtechnique 4.
// Code snippet for Account Manipulation subtechnique 4
console.log("Account Manipulation subtechnique 4 snippet");
Description for subtechnique 5.
// Code snippet for Account Manipulation subtechnique 5
console.log("Account Manipulation subtechnique 5 snippet");
Description for Access Token Manipulation.
Description for subtechnique 1.
// Code snippet for subtechnique 1
console.log("Token Impersonation/Theft snippet");
Description for subtechnique 2.
// Code snippet for subtechnique 2
console.log("Create Process With Token snippet");
Description for subtechnique 3.
// Code snippet for subtechnique 3
console.log("Make and Impersonate Token snippet");
Description for subtechnique 4.
// Code snippet for subtechnique 4
console.log("Parent PID Spoofing snippet");
Description for subtechnique 5.
// Code snippet for subtechnique 5
console.log("SID-History Injection snippet");