-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
178 lines (162 loc) · 887 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="robots" content="noindex, nofollow" />
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<meta name="theme-color" content="#333333" />
<link rel="stylesheet" href="/global-d3fend.css" />
<link rel="icon" type="image/png" href="/favicon.ico" />
<!-- This contains the contents of the <svelte:head> component, if
the current page has one -->
<link href="./_app/immutable/assets/2.DHvdcSOX.css" rel="stylesheet">
<link href="./_app/immutable/assets/Notification.B8zKbhCg.css" rel="stylesheet">
<link href="./_app/immutable/assets/Nav-mobile.Cc6pGg8P.css" rel="stylesheet">
<link href="./_app/immutable/assets/Hamburger.uK-LTuq7.css" rel="stylesheet">
<link href="./_app/immutable/assets/Search-Result.C6IiA5Sl.css" rel="stylesheet">
<link href="./_app/immutable/assets/Alert._ky_-3FE.css" rel="stylesheet">
<link href="./_app/immutable/assets/Graph-off_to_def.BTRGXWhX.css" rel="stylesheet">
<link href="./_app/immutable/assets/_Graph.MOATHYbt.css" rel="stylesheet">
<link href="./_app/immutable/assets/blog-layout.S9BvnYOd.css" rel="stylesheet">
<link href="./_app/immutable/assets/ToggleBar.Ci6X6nIU.css" rel="stylesheet">
<link href="./_app/immutable/assets/16.C5EZRtST.css" rel="stylesheet">
<link href="./_app/immutable/assets/SimpleAutocomplete.CR_NfDj6.css" rel="stylesheet">
<link href="./_app/immutable/assets/D3FMatrix.CIQPW5Cs.css" rel="stylesheet">
<link href="./_app/immutable/assets/Loading.DZFAeXr1.css" rel="stylesheet">
<link href="./_app/immutable/assets/icon.BL1UzxCP.css" rel="stylesheet">
<link href="./_app/immutable/assets/ScrollFrame.BogPnN07.css" rel="stylesheet">
<link href="./_app/immutable/assets/Header.BfhnT_w6.css" rel="stylesheet">
<link href="./_app/immutable/assets/Lookup-DAO.DNPQYLUM.css" rel="stylesheet">
<link rel="modulepreload" href="./_app/immutable/entry/start.BqLk7f5U.js">
<link rel="modulepreload" href="./_app/immutable/chunks/entry.D5y5HF-9.js">
<link rel="modulepreload" href="./_app/immutable/chunks/scheduler.BuUavueM.js">
<link rel="modulepreload" href="./_app/immutable/chunks/index.hAAhajWd.js">
<link rel="modulepreload" href="./_app/immutable/chunks/control.CYgJF_JY.js">
<link rel="modulepreload" href="./_app/immutable/entry/app.B0Oi9ysV.js">
<link rel="modulepreload" href="./_app/immutable/chunks/preload-helper.C1FmrZbK.js">
<link rel="modulepreload" href="./_app/immutable/chunks/index.B8nkrWGc.js">
<link rel="modulepreload" href="./_app/immutable/nodes/0.BF_FWZ8Y.js">
<link rel="modulepreload" href="./_app/immutable/nodes/2.C_SE5iMM.js">
<link rel="modulepreload" href="./_app/immutable/chunks/mermaid-6dc72991.Z4iInIm7.js">
<link rel="modulepreload" href="./_app/immutable/chunks/_commonjsHelpers.C4iS2aBk.js">
<link rel="modulepreload" href="./_app/immutable/chunks/transform.B54KPHx3.js">
<link rel="modulepreload" href="./_app/immutable/chunks/_isIterateeCall.B4omVPds.js">
<link rel="modulepreload" href="./_app/immutable/chunks/_getTag.Dmq4_93-.js">
<link rel="modulepreload" href="./_app/immutable/chunks/isArray.CqO_RI43.js">
<link rel="modulepreload" href="./_app/immutable/chunks/isEmpty.BQ-MdN2s.js">
<link rel="modulepreload" href="./_app/immutable/chunks/config.CU0BtwVx.js">
<link rel="modulepreload" href="./_app/immutable/chunks/matrix.Da5s4cAc.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Notification.C9YwdAY_.js">
<link rel="modulepreload" href="./_app/immutable/chunks/index.ifUE41Lz.js">
<link rel="modulepreload" href="./_app/immutable/chunks/stores.joY6sq-3.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Nav-mobile.Do92PLkj.js">
<link rel="modulepreload" href="./_app/immutable/chunks/each.Ckho9Dz0.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Hamburger.WrRnnixg.js">
<link rel="modulepreload" href="./_app/immutable/chunks/stores.1wZ9lVii.js">
<link rel="modulepreload" href="./_app/immutable/chunks/await_block.8NTS1AiM.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Search-Result.BflK3PKo.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Alert.Ci27c02Q.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Graph-off_to_def.DtF1HkgV.js">
<link rel="modulepreload" href="./_app/immutable/chunks/_Graph.BQtyR-cL.js">
<link rel="modulepreload" href="./_app/immutable/chunks/lib.BDR6A2xH.js">
<link rel="modulepreload" href="./_app/immutable/chunks/marked.esm.D23x4JZT.js">
<link rel="modulepreload" href="./_app/immutable/chunks/ToggleBar.BqwPd21l.js">
<link rel="modulepreload" href="./_app/immutable/chunks/utils.xEKteSAW.js">
<link rel="modulepreload" href="./_app/immutable/chunks/_createCompounder.DRJ5hmHl.js">
<link rel="modulepreload" href="./_app/immutable/chunks/updateDefendTree.Bqz-u-yc.js">
<link rel="modulepreload" href="./_app/immutable/nodes/16.8_LkgttC.js">
<link rel="modulepreload" href="./_app/immutable/chunks/techniques.BunsVZrz.js">
<link rel="modulepreload" href="./_app/immutable/chunks/SimpleAutocomplete.CVdXRzZ8.js">
<link rel="modulepreload" href="./_app/immutable/chunks/globals.D0QH3NT1.js">
<link rel="modulepreload" href="./_app/immutable/chunks/spread.CgU5AtxT.js">
<link rel="modulepreload" href="./_app/immutable/chunks/D3FMatrix.D64jD6rr.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Loading.C3fUnRvY.js">
<link rel="modulepreload" href="./_app/immutable/chunks/layers.55DOGihP.js">
<link rel="modulepreload" href="./_app/immutable/chunks/actions.BBsoAZW9.js">
<link rel="modulepreload" href="./_app/immutable/chunks/ScrollFrame.2c8aYfah.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Title.CTiQNLLX.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Header.FNfR-j_w.js">
<link rel="modulepreload" href="./_app/immutable/chunks/Lookup-DAO.Der5Slgw.js"><title>D3FEND Matrix | MITRE D3FEND™</title><!-- HEAD_svelte-1b5eb8v_START --><meta property="og:type" content="website"><meta property="og:title" content="MITRE D3FEND Knowledge Graph"><meta property="og:url" content="https://d3fend.mitre.org/"><meta property="og:image" content="https://d3fend.mitre.org/img/d3fend-og.png"><meta property="og:description" content="D3FEND is a knowledge base of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality."><!-- HEAD_svelte-1b5eb8v_END -->
</head>
<body>
<!-- The application will be rendered inside this element,
because `src/client.js` references it -->
<div> <nav class="svelte-anufko"> <nav id="desktop" class="svelte-h837uo"><ul class="text-1 svelte-h837uo"><li class="logo svelte-h837uo" data-svelte-h="svelte-4hq3qq"><a href="/" class="svelte-h837uo"><img alt="MITRE logo" src="/img/mitre.png" class="svelte-h837uo"></a></li> <li class="svelte-h837uo"><a aria-current="page" href="/" class="svelte-h837uo">matrix</a></li> <li class="svelte-h837uo" data-svelte-h="svelte-jkwowe"><a class="glow svelte-h837uo" href="/cad">CAD</a></li> <li class="svelte-h837uo"><a href="/dao" class="svelte-h837uo">artifacts</a></li> <li class="svelte-h837uo"><a class=" svelte-h837uo" href="/taxonomies">taxonomies</a></li> <li class="svelte-h837uo"><a href="/about" class="svelte-h837uo">about</a></li> <li class="svelte-h837uo"><a href="/resources" class=" svelte-h837uo">resources</a></li> <li class="svelte-h837uo"><a href="/contribute" class=" svelte-h837uo">contribute</a></li> <li class="svelte-h837uo"><a href="/faq" class="svelte-h837uo">faq</a></li> <li class="svelte-h837uo"><a href="/blog" class="svelte-h837uo">blog</a></li> <li class="svelte-h837uo"><a href="/search" class="svelte-h837uo">search</a></li> <li class="logo logo-right svelte-h837uo" data-svelte-h="svelte-2u6zbz"><a href="https://www.nsa.gov" class="svelte-h837uo"><img id="sponsor_logo" alt="NSA logo" src="/img/nsa.png" class="svelte-h837uo"></a></li> </ul></nav> <nav id="mobile"><div><button aria-label="Close Mobile Menu" style="z-index: 3;" class="svelte-tc5541"><svg width="32" height="28" class="svelte-tc5541"><line id="top" x1="0" y1="4" x2="32" y2="4" class="svelte-tc5541"></line><line id="middle" x1="0" y1="14" x2="24" y2="14" class="svelte-tc5541"></line><line id="bottom" x1="0" y1="24" x2="32" y2="24" class="svelte-tc5541"></line></svg> </button></div> </nav></nav> <main class="svelte-anufko"> <div id="mwrap" class="svelte-axm6z3"><div><div class="text-center logo fancy-font svelte-1ib5bv6">D3FEND<sup class="trademark fancy-font svelte-1ib5bv6" data-svelte-h="svelte-1lmjpig">™</sup> </div> <div class="text-center tagline svelte-1ib5bv6" data-svelte-h="svelte-fh0jr0"><small>A knowledge <a style="all:unset;display:inline;text-decoration:none;cursor:pointer" href="/cad">graph</a> of cybersecurity countermeasures</small></div> </div> <br> <div id="wrapper" class="flex svelte-axm6z3"><span id="offensive" class="left"><div class="autocomplete select is-fullwidth sautocomplete-323 svelte-75ckfb"><select class="svelte-75ckfb"></select> <div class="input-container svelte-75ckfb"> <input type="text" class=" input autocomplete-input svelte-75ckfb" id="" autocomplete="off" placeholder="ATT&CK Lookup" tabindex="0"> </div> <div class=" autocomplete-list hidden is-fullwidth svelte-75ckfb"> <div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1001 - Data Obfuscation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1001.001 - Junk Data<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1001.002 - Steganography<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1001.003 - Protocol or Service Impersonation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1002 - Data Compressed<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003 - OS Credential Dumping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.001 - LSASS Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.002 - Security Account Manager<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.003 - NTDS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.004 - LSA Secrets<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.005 - Cached Domain Credentials<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.006 - DCSync<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.007 - Proc Filesystem<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1003.008 - /etc/passwd and /etc/shadow<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1004 - Winlogon Helper DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1005 - Data from Local System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1006 - Direct Volume Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1007 - System Service Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1008 - Fallback Channels<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1009 - Binary Padding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1010 - Application Window Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1011 - Exfiltration Over Other Network Medium<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1011.001 - Exfiltration Over Bluetooth<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1012 - Query Registry<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1013 - Port Monitors<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1014 - Rootkit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1015 - Accessibility Features<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1016 - System Network Configuration Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1016.001 - Internet Connection Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1016.002 - Wi-Fi Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1017 - Application Deployment Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1018 - Remote System Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1019 - System Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1020 - Automated Exfiltration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1020.001 - Traffic Duplication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021 - Remote Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.001 - Remote Desktop Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.002 - SMB/Windows Admin Shares<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.003 - Distributed Component Object Model<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.004 - SSH<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.005 - VNC<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.006 - Windows Remote Management<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.007 - Cloud Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1021.008 - Direct Cloud VM Connections<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1022 - Data Encrypted<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1023 - Shortcut Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1024 - Custom Cryptographic Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1025 - Data from Removable Media<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1026 - Multiband Communication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027 - Obfuscated Files or Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.001 - Binary Padding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.002 - Software Packing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.003 - Steganography<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.004 - Compile After Delivery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.005 - Indicator Removal from Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.006 - HTML Smuggling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.007 - Dynamic API Resolution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.008 - Stripped Payloads<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.009 - Embedded Payloads<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.010 - Command Obfuscation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.011 - Fileless Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.012 - LNK Icon Smuggling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.013 - Encrypted/Encoded File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1027.014 - Polymorphic Code<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1028 - Windows Remote Management<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1029 - Scheduled Transfer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1030 - Data Transfer Size Limits<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1031 - Modify Existing Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1032 - Standard Cryptographic Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1033 - System Owner/User Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1034 - Path Interception<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1035 - Service Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036 - Masquerading<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.001 - Invalid Code Signature<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.002 - Right-to-Left Override<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.003 - Rename System Utilities<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.004 - Masquerade Task or Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.005 - Match Legitimate Name or Location<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.006 - Space after Filename<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.007 - Double File Extension<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.008 - Masquerade File Type<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.009 - Break Process Trees<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1036.010 - Masquerade Account Name<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037 - Boot or Logon Initialization Scripts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037.001 - Logon Script (Windows)<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037.002 - Login Hook<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037.003 - Network Logon Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037.004 - RC Scripts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1037.005 - Startup Items<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1038 - DLL Search Order Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1039 - Data from Network Shared Drive<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1040 - Network Sniffing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1041 - Exfiltration Over C2 Channel<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1042 - Change Default File Association<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1043 - Commonly Used Port<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1044 - File System Permissions Weakness<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1045 - Software Packing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1046 - Network Service Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1047 - Windows Management Instrumentation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1048 - Exfiltration Over Alternative Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1049 - System Network Connections Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1050 - New Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1051 - Shared Webroot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1052 - Exfiltration Over Physical Medium<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1052.001 - Exfiltration over USB<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053 - Scheduled Task/Job<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.001 - At (Linux) Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.002 - At<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.003 - Cron<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.004 - Launchd<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.005 - Scheduled Task<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.006 - Systemd Timers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1053.007 - Container Orchestration Job<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1054 - Indicator Blocking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055 - Process Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.001 - Dynamic-link Library Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.002 - Portable Executable Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.003 - Thread Execution Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.004 - Asynchronous Procedure Call<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.005 - Thread Local Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.008 - Ptrace System Calls<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.009 - Proc Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.011 - Extra Window Memory Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.012 - Process Hollowing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.013 - Process Doppelgänging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.014 - VDSO Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1055.015 - ListPlanting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1056 - Input Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1056.001 - Keylogging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1056.002 - GUI Input Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1056.003 - Web Portal Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1056.004 - Credential API Hooking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1057 - Process Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1058 - Service Registry Permissions Weakness<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059 - Command and Scripting Interpreter<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.001 - PowerShell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.002 - AppleScript<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.003 - Windows Command Shell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.004 - Unix Shell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.005 - Visual Basic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.006 - Python<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.007 - JavaScript<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.008 - Network Device CLI<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.009 - Cloud API<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.010 - AutoHotKey & AutoIT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1059.011 - Lua<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1060 - Registry Run Keys / Startup Folder<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1061 - Graphical User Interface<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1062 - Hypervisor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1063 - Security Software Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1064 - Scripting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1065 - Uncommonly Used Port<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1066 - Indicator Removal from Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1067 - Bootkit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1068 - Exploitation for Privilege Escalation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1069 - Permission Groups Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1069.001 - Local Groups<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1069.002 - Domain Groups<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1069.003 - Cloud Groups<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070 - Indicator Removal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.001 - Clear Windows Event Logs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.002 - Clear Linux or Mac System Logs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.003 - Clear Command History<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.004 - File Deletion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.005 - Network Share Connection Removal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.006 - Timestomp<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.007 - Clear Network Connection History and Configurations<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.008 - Clear Mailbox Data<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.009 - Clear Persistence<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1070.010 - Relocate Malware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071 - Application Layer Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071.001 - Web Protocols<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071.002 - File Transfer Protocols<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071.003 - Mail Protocols<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071.004 - DNS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1071.005 - Publish/Subscribe Protocols<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1072 - Software Deployment Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1073 - DLL Side-Loading<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1074 - Data Staged<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1074.001 - Local Data Staging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1074.002 - Remote Data Staging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1075 - Pass the Hash<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1076 - Remote Desktop Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1077 - Windows Admin Shares<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1078 - Valid Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1078.001 - Default Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1078.002 - Domain Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1078.003 - Local Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1078.004 - Cloud Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1079 - Multilayer Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1080 - Taint Shared Content<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1081 - Credentials in Files<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1082 - System Information Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1083 - File and Directory Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1084 - Windows Management Instrumentation Event Subscription<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1085 - Rundll32<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1086 - PowerShell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1087 - Account Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1087.001 - Local Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1087.002 - Domain Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1087.003 - Email Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1087.004 - Cloud Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1088 - Bypass User Account Control<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1089 - Disabling Security Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1090 - Proxy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1090.001 - Internal Proxy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1090.002 - External Proxy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1090.003 - Multi-hop Proxy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1090.004 - Domain Fronting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1091 - Replication Through Removable Media<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1092 - Communication Through Removable Media<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1093 - Process Hollowing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1094 - Custom Command and Control Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1095 - Non-Application Layer Protocol<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1096 - NTFS File Attributes<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1097 - Pass the Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098 - Account Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.001 - Additional Cloud Credentials<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.002 - Additional Email Delegate Permissions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.003 - Additional Cloud Roles<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.004 - SSH Authorized Keys<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.005 - Device Registration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.006 - Additional Container Cluster Roles<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1098.007 - Additional Local or Domain Groups<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1099 - Timestomp<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1100 - Web Shell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1101 - Security Support Provider<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1102 - Web Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1102.001 - Dead Drop Resolver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1102.002 - Bidirectional Communication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1102.003 - One-Way Communication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1103 - AppInit DLLs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1104 - Multi-Stage Channels<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1105 - Ingress Tool Transfer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1106 - Native API<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1107 - File Deletion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1108 - Redundant Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1109 - Component Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1110 - Brute Force<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1110.001 - Password Guessing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1110.002 - Password Cracking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1110.003 - Password Spraying<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1110.004 - Credential Stuffing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1111 - Multi-Factor Authentication Interception<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1112 - Modify Registry<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1113 - Screen Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1114 - Email Collection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1114.001 - Local Email Collection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1114.002 - Remote Email Collection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1114.003 - Email Forwarding Rule<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1115 - Clipboard Data<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1116 - Code Signing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1117 - Regsvr32<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1118 - InstallUtil<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1119 - Automated Collection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1120 - Peripheral Device Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1121 - Regsvcs/Regasm<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1122 - Component Object Model Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1123 - Audio Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1124 - System Time Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1125 - Video Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1126 - Network Share Connection Removal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1127 - Trusted Developer Utilities Proxy Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1127.001 - MSBuild<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1127.002 - ClickOnce<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1128 - Netsh Helper DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1129 - Shared Modules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1130 - Install Root Certificate<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1131 - Authentication Package<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1132 - Data Encoding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1132.001 - Standard Encoding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1132.002 - Non-Standard Encoding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1133 - External Remote Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134 - Access Token Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134.001 - Token Impersonation/Theft<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134.002 - Create Process with Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134.003 - Make and Impersonate Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134.004 - Parent PID Spoofing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1134.005 - SID-History Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1135 - Network Share Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1136 - Create Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1136.001 - Local Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1136.002 - Domain Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1136.003 - Cloud Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137 - Office Application Startup<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.001 - Office Template Macros<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.002 - Office Test<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.003 - Outlook Forms<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.004 - Outlook Home Page<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.005 - Outlook Rules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1137.006 - Add-ins<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1138 - Application Shimming<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1139 - Bash History<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1140 - Deobfuscate/Decode Files or Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1141 - Input Prompt<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1142 - Keychain<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1143 - Hidden Window<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1144 - Gatekeeper Bypass<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1145 - Private Keys<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1146 - Clear Command History<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1147 - Hidden Users<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1148 - HISTCONTROL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1149 - LC_MAIN Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1150 - Plist Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1151 - Space after Filename<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1152 - Launchctl<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1153 - Source<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1154 - Trap<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1155 - AppleScript<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1156 - Malicious Shell Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1157 - Dylib Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1158 - Hidden Files and Directories<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1159 - Launch Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1160 - Launch Daemon<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1161 - LC_LOAD_DYLIB Addition<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1162 - Login Item<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1163 - Rc.common<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1164 - Re-opened Applications<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1165 - Startup Items<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1166 - Setuid and Setgid<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1167 - Securityd Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1168 - Local Job Scheduling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1169 - Sudo<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1170 - Mshta<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1171 - LLMNR/NBT-NS Poisoning and Relay<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1172 - Domain Fronting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1173 - Dynamic Data Exchange<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1174 - Password Filter DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1175 - Component Object Model and Distributed COM<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1176 - Browser Extensions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1177 - LSASS Driver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1178 - SID-History Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1179 - Hooking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1180 - Screensaver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1181 - Extra Window Memory Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1182 - AppCert DLLs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1183 - Image File Execution Options Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1184 - SSH Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1185 - Browser Session Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1186 - Process Doppelgänging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1187 - Forced Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1188 - Multi-hop Proxy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1189 - Drive-by Compromise<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1190 - Exploit Public-Facing Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1191 - CMSTP<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1192 - Spearphishing Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1193 - Spearphishing Attachment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1194 - Spearphishing via Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1195 - Supply Chain Compromise<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1195.001 - Compromise Software Dependencies and Development Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1195.002 - Compromise Software Supply Chain<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1195.003 - Compromise Hardware Supply Chain<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1196 - Control Panel Items<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1197 - BITS Jobs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1198 - SIP and Trust Provider Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1199 - Trusted Relationship<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1200 - Hardware Additions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1201 - Password Policy Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1202 - Indirect Command Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1203 - Exploitation for Client Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1204 - User Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1204.001 - Malicious Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1204.002 - Malicious File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1204.003 - Malicious Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1205 - Traffic Signaling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1205.001 - Port Knocking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1205.002 - Socket Filters<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1206 - Sudo Caching<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1207 - Rogue Domain Controller<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1208 - Kerberoasting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1209 - Time Providers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1210 - Exploitation of Remote Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1211 - Exploitation for Defense Evasion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1212 - Exploitation for Credential Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213 - Data from Information Repositories<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213.001 - Confluence<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213.002 - Sharepoint<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213.003 - Code Repositories<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213.004 - Customer Relationship Management Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1213.005 - Messaging Applications<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1214 - Credentials in Registry<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1215 - Kernel Modules and Extensions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1216 - System Script Proxy Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1216.001 - PubPrn<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1216.002 - SyncAppvPublishingServer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1217 - Browser Information Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218 - System Binary Proxy Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.001 - Compiled HTML File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.002 - Control Panel<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.003 - CMSTP<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.004 - InstallUtil<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.005 - Mshta<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.007 - Msiexec<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.008 - Odbcconf<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.009 - Regsvcs/Regasm<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.010 - Regsvr32<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.011 - Rundll32<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.012 - Verclsid<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.013 - Mavinject<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.014 - MMC<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1218.015 - Electron Applications<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1219 - Remote Access Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1220 - XSL Script Processing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1221 - Template Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1222 - File and Directory Permissions Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1222.001 - Windows File and Directory Permissions Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1222.002 - Linux and Mac File and Directory Permissions Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1223 - Compiled HTML File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1480 - Execution Guardrails<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1480.001 - Environmental Keying<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1480.002 - Mutual Exclusion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1482 - Domain Trust Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1483 - Domain Generation Algorithms<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1484 - Domain or Tenant Policy Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1484.001 - Group Policy Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1484.002 - Trust Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1485 - Data Destruction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1485.001 - Lifecycle-Triggered Deletion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1486 - Data Encrypted for Impact<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1487 - Disk Structure Wipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1488 - Disk Content Wipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1489 - Service Stop<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1490 - Inhibit System Recovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1491 - Defacement<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1491.001 - Internal Defacement<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1491.002 - External Defacement<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1492 - Stored Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1493 - Transmitted Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1494 - Runtime Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1495 - Firmware Corruption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1496 - Resource Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1496.001 - Compute Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1496.002 - Bandwidth Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1496.003 - SMS Pumping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1496.004 - Cloud Service Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1497 - Virtualization/Sandbox Evasion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1497.001 - System Checks<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1497.002 - User Activity Based Checks<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1497.003 - Time Based Evasion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1498 - Network Denial of Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1498.001 - Direct Network Flood<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1498.002 - Reflection Amplification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1499 - Endpoint Denial of Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1499.001 - OS Exhaustion Flood<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1499.002 - Service Exhaustion Flood<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1499.003 - Application Exhaustion Flood<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1499.004 - Application or System Exploitation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1500 - Compile After Delivery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1501 - Systemd Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1502 - Parent PID Spoofing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1503 - Credentials from Web Browsers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1504 - PowerShell Profile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505 - Server Software Component<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505.001 - SQL Stored Procedures<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505.002 - Transport Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505.003 - Web Shell<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505.004 - IIS Components<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1505.005 - Terminal Services DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1506 - Web Session Cookie<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1514 - Elevated Execution with Prompt<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1518 - Software Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1518.001 - Security Software Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1519 - Emond<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1522 - Cloud Instance Metadata API<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1525 - Implant Internal Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1526 - Cloud Service Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1527 - Application Access Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1528 - Steal Application Access Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1529 - System Shutdown/Reboot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1530 - Data from Cloud Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1531 - Account Access Removal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1534 - Internal Spearphishing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1535 - Unused/Unsupported Cloud Regions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1536 - Revert Cloud Instance<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1537 - Transfer Data to Cloud Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1538 - Cloud Service Dashboard<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1539 - Steal Web Session Cookie<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542 - Pre-OS Boot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542.001 - System Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542.002 - Component Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542.003 - Bootkit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542.004 - ROMMONkit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1542.005 - TFTP Boot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543 - Create or Modify System Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543.001 - Launch Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543.002 - Systemd Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543.003 - Windows Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543.004 - Launch Daemon<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1543.005 - Container Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546 - Event Triggered Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.001 - Change Default File Association<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.002 - Screensaver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.003 - Windows Management Instrumentation Event Subscription<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.004 - Unix Shell Configuration Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.005 - Trap<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.006 - LC_LOAD_DYLIB Addition<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.007 - Netsh Helper DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.008 - Accessibility Features<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.009 - AppCert DLLs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.010 - AppInit DLLs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.011 - Application Shimming<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.012 - Image File Execution Options Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.013 - PowerShell Profile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.014 - Emond<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.015 - Component Object Model Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.016 - Installer Packages<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1546.017 - Udev Rules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547 - Boot or Logon Autostart Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.001 - Registry Run Keys / Startup Folder<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.002 - Authentication Package<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.003 - Time Providers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.004 - Winlogon Helper DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.005 - Security Support Provider<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.006 - Kernel Modules and Extensions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.007 - Re-opened Applications<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.008 - LSASS Driver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.009 - Shortcut Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.010 - Port Monitors<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.011 - Plist Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.012 - Print Processors<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.013 - XDG Autostart Entries<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.014 - Active Setup<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1547.015 - Login Items<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548 - Abuse Elevation Control Mechanism<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.001 - Setuid and Setgid<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.002 - Bypass User Account Control<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.003 - Sudo and Sudo Caching<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.004 - Elevated Execution with Prompt<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.005 - Temporary Elevated Cloud Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1548.006 - TCC Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1550 - Use Alternate Authentication Material<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1550.001 - Application Access Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1550.002 - Pass the Hash<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1550.003 - Pass the Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1550.004 - Web Session Cookie<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552 - Unsecured Credentials<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.001 - Credentials In Files<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.002 - Credentials in Registry<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.003 - Bash History<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.004 - Private Keys<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.005 - Cloud Instance Metadata API<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.006 - Group Policy Preferences<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.007 - Container API<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1552.008 - Chat Messages<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553 - Subvert Trust Controls<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.001 - Gatekeeper Bypass<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.002 - Code Signing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.003 - SIP and Trust Provider Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.004 - Install Root Certificate<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.005 - Mark-of-the-Web Bypass<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1553.006 - Code Signing Policy Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1554 - Compromise Host Software Binary<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555 - Credentials from Password Stores<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.001 - Keychain<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.002 - Securityd Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.003 - Credentials from Web Browsers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.004 - Windows Credential Manager<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.005 - Password Managers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1555.006 - Cloud Secrets Management Stores<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556 - Modify Authentication Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.001 - Domain Controller Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.002 - Password Filter DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.003 - Pluggable Authentication Modules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.004 - Network Device Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.005 - Reversible Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.006 - Multi-Factor Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.007 - Hybrid Identity<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.008 - Network Provider DLL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1556.009 - Conditional Access Policies<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1557 - Adversary-in-the-Middle<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1557.002 - ARP Cache Poisoning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1557.003 - DHCP Spoofing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1557.004 - Evil Twin<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558 - Steal or Forge Kerberos Tickets<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558.001 - Golden Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558.002 - Silver Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558.003 - Kerberoasting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558.004 - AS-REP Roasting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1558.005 - Ccache Files<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1559 - Inter-Process Communication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1559.001 - Component Object Model<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1559.002 - Dynamic Data Exchange<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1559.003 - XPC Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1560 - Archive Collected Data<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1560.001 - Archive via Utility<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1560.002 - Archive via Library<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1560.003 - Archive via Custom Method<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1561 - Disk Wipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1561.001 - Disk Content Wipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1561.002 - Disk Structure Wipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562 - Impair Defenses<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.001 - Disable or Modify Tools<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.002 - Disable Windows Event Logging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.003 - Impair Command History Logging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.004 - Disable or Modify System Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.006 - Indicator Blocking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.007 - Disable or Modify Cloud Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.008 - Disable or Modify Cloud Logs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.009 - Safe Mode Boot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.010 - Downgrade Attack<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.011 - Spoof Security Alerting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1562.012 - Disable or Modify Linux Audit System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1563 - Remote Service Session Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1563.001 - SSH Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1563.002 - RDP Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564 - Hide Artifacts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.001 - Hidden Files and Directories<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.002 - Hidden Users<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.003 - Hidden Window<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.004 - NTFS File Attributes<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.005 - Hidden File System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.006 - Run Virtual Instance<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.007 - VBA Stomping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.008 - Email Hiding Rules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.009 - Resource Forking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.010 - Process Argument Spoofing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.011 - Ignore Process Interrupts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1564.012 - File/Path Exclusions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1565 - Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1565.001 - Stored Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1565.002 - Transmitted Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1565.003 - Runtime Data Manipulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1566 - Phishing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1566.001 - Spearphishing Attachment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1566.002 - Spearphishing Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1566.003 - Spearphishing via Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1566.004 - Spearphishing Voice<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1567 - Exfiltration Over Web Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1567.001 - Exfiltration to Code Repository<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1567.002 - Exfiltration to Cloud Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1567.003 - Exfiltration to Text Storage Sites<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1567.004 - Exfiltration Over Webhook<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1568 - Dynamic Resolution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1568.001 - Fast Flux DNS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1568.002 - Domain Generation Algorithms<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1568.003 - DNS Calculation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1569 - System Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1569.001 - Launchctl<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1569.002 - Service Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1570 - Lateral Tool Transfer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1571 - Non-Standard Port<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1572 - Protocol Tunneling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1573 - Encrypted Channel<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1573.001 - Symmetric Cryptography<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1573.002 - Asymmetric Cryptography<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574 - Hijack Execution Flow<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.001 - DLL Search Order Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.002 - DLL Side-Loading<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.004 - Dylib Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.005 - Executable Installer File Permissions Weakness<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.006 - Dynamic Linker Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.007 - Path Interception by PATH Environment Variable<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.008 - Path Interception by Search Order Hijacking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.009 - Path Interception by Unquoted Path<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.010 - Services File Permissions Weakness<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.011 - Services Registry Permissions Weakness<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.012 - COR_PROFILER<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.013 - KernelCallbackTable<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1574.014 - AppDomainManager<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578 - Modify Cloud Compute Infrastructure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578.001 - Create Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578.002 - Create Cloud Instance<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578.003 - Delete Cloud Instance<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578.004 - Revert Cloud Instance<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1578.005 - Modify Cloud Compute Configurations<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1580 - Cloud Infrastructure Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583 - Acquire Infrastructure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.001 - Domains<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.002 - DNS Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.003 - Virtual Private Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.004 - Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.005 - Botnet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.006 - Web Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.007 - Serverless<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1583.008 - Malvertising<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584 - Compromise Infrastructure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.001 - Domains<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.002 - DNS Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.003 - Virtual Private Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.004 - Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.005 - Botnet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.006 - Web Services<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.007 - Serverless<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1584.008 - Network Devices<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1585 - Establish Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1585.001 - Social Media Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1585.002 - Email Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1585.003 - Cloud Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1586 - Compromise Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1586.001 - Social Media Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1586.002 - Email Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1586.003 - Cloud Accounts<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1587 - Develop Capabilities<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1587.001 - Malware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1587.002 - Code Signing Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1587.003 - Digital Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1587.004 - Exploits<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588 - Obtain Capabilities<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.001 - Malware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.002 - Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.003 - Code Signing Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.004 - Digital Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.005 - Exploits<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.006 - Vulnerabilities<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1588.007 - Artificial Intelligence<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1589 - Gather Victim Identity Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1589.001 - Credentials<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1589.002 - Email Addresses<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1589.003 - Employee Names<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590 - Gather Victim Network Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.001 - Domain Properties<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.002 - DNS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.003 - Network Trust Dependencies<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.004 - Network Topology<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.005 - IP Addresses<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1590.006 - Network Security Appliances<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1591 - Gather Victim Org Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1591.001 - Determine Physical Locations<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1591.002 - Business Relationships<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1591.003 - Identify Business Tempo<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1591.004 - Identify Roles<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1592 - Gather Victim Host Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1592.001 - Hardware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1592.002 - Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1592.003 - Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1592.004 - Client Configurations<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1593 - Search Open Websites/Domains<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1593.001 - Social Media<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1593.002 - Search Engines<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1593.003 - Code Repositories<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1594 - Search Victim-Owned Websites<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1595 - Active Scanning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1595.001 - Scanning IP Blocks<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1595.002 - Vulnerability Scanning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1595.003 - Wordlist Scanning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596 - Search Open Technical Databases<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596.001 - DNS/Passive DNS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596.002 - WHOIS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596.003 - Digital Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596.004 - CDNs<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1596.005 - Scan Databases<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1597 - Search Closed Sources<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1597.001 - Threat Intel Vendors<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1597.002 - Purchase Technical Data<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1598 - Phishing for Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1598.001 - Spearphishing Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1598.002 - Spearphishing Attachment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1598.003 - Spearphishing Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1598.004 - Spearphishing Voice<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1599 - Network Boundary Bridging<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1599.001 - Network Address Translation Traversal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1600 - Weaken Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1600.001 - Reduce Key Space<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1600.002 - Disable Crypto Hardware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1601 - Modify System Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1601.001 - Patch System Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1601.002 - Downgrade System Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1602 - Data from Configuration Repository<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1602.001 - SNMP (MIB Dump)<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1602.002 - Network Device Configuration Dump<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1606 - Forge Web Credentials<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1606.001 - Web Cookies<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1606.002 - SAML Tokens<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608 - Stage Capabilities<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.001 - Upload Malware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.002 - Upload Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.003 - Install Digital Certificate<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.004 - Drive-by Target<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.005 - Link Target<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1608.006 - SEO Poisoning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1609 - Container Administration Command<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1610 - Deploy Container<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1611 - Escape to Host<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1612 - Build Image on Host<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1613 - Container and Resource Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1614 - System Location Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1614.001 - System Language Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1615 - Group Policy Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1619 - Cloud Storage Object Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1620 - Reflective Code Loading<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1621 - Multi-Factor Authentication Request Generation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1622 - Debugger Evasion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1647 - Plist File Modification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1648 - Serverless Execution<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1649 - Steal or Forge Authentication Certificates<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1650 - Acquire Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1651 - Cloud Administration Command<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1652 - Device Driver Discovery<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1653 - Power Settings<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1654 - Log Enumeration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1656 - Impersonation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1657 - Financial Theft<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1659 - Content Injection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1665 - Hide Infrastructure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->T1666 - Modify Cloud Resource Hierarchy<!-- HTML_TAG_END --> </div> </div></div> </span> <span id="dao" class="middle svelte-axm6z3"><div class="dao-lookup-wrapper"><div class="autocomplete select is-fullwidth sautocomplete-678 svelte-75ckfb"><select class="svelte-75ckfb"></select> <div class="input-container svelte-75ckfb"> <input type="text" class=" input autocomplete-input svelte-75ckfb" id="" autocomplete="off" placeholder="Search D3FEND's 718 Artifacts" tabindex="0"> </div> <div class=" autocomplete-list hidden is-fullwidth svelte-75ckfb"> <div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Control Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Control Group<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Control List<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Mediator<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Access Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Activity Dependency<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Actuator<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Address Space<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Administrative Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Alias<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Allocate Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Anonymous Pipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Configuration Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Configuration Database Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Configuration File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Installer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Inventory Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Layer Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Layer Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Process Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Rule<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Application Shim<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Archive File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Artifact Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Asset Inventory Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Asymmetric Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Audio Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authenticate User<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authentication Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authentication Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authentication Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authentication Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authorization Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Authorization Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Barcode Scanner Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Binary Large Object<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Binary Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Block Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Boot Loader<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Boot Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Boot Sector<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Browser<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Browser Extension<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Build Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Business Communication Platform Client<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->CA Certificate File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Processor Cache Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Call Stack<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Central Processing Unit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Certificate<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Certificate File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Certificate Trust Store<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Chatroom Client<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Child Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Client Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Client Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Clipboard<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cloud Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cloud Instance Metadata<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cloud Service Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cloud Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cloud User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Code Analyzer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Code Repository<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Collaborative Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Command<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Command History Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Command History Log File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Command Line Interface<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Compiler<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Compiler Configuration File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Computer Network Node<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Computer Platform<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Computing Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Computing Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Computing Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Configuration Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Configuration Database Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Configuration File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Configuration Management Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Configuration Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Connect Socket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Console Output Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Container Build Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Container Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Container Orchestration Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Container Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Container Runtime<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Copy Memory Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Copy Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Create File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Create Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Create Socket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Create Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Credential<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Credential Management System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cryptographic Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Custom Archive File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Cyber Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DHCP Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DHCP Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DNS Lookup<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DNS Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DNS Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->DNS Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Data Artifact Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Data Dependency<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Data Link Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Database File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Database Query<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Database Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Decoy Artifact<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Default User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Delete File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Dependency<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Deserialization Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Desktop Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Developer Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Dial Up Modem<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Differential Volume Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Artifact<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Event Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Fingerprint<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Identity<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Information<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital Information Bearer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Digital System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Directory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Directory Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Disk Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Display Adapter<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Display Device Driver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Display Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Document File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Domain Name<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Domain Registration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Domain User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Dynamic Analysis Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Email<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Email Attachment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Email Rule<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Embedded Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Enclave<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Encrypted Credential<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Encrypted Password<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Endpoint Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Eval Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Event Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Exception Handler<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Exec<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Executable Binary<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Executable File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Executable Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->External Content Inclusion Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Fast Symbolic Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Hash<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Path Open Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Section<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Share Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File System Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File System Metadata<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File System Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->File Transfer Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Finger Print Scanner Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Firmware Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->First-stage Boot Loader<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Flash Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Forward Proxy Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Free Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Full Volume Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get Open Sockets<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get Open Windows<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get Running Processes<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get Screen Capture<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get System Config Value<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get System Network Config Value<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get System Time<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Get Thread Context<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Global User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Graphical User Interface<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Graphics Card Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Graphics Processing Unit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Group Policy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->HTML File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Hard Disk Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Hard Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Hardware Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Hardware Driver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Heap Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Host<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Host-based Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Host Configuration Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Host Group<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Hostname<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Human Input Device Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->I/O Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->IP Address<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->IPC Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->IP Phone<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Identifier<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Image Code Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Image Data Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Image Scanner Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Image Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Impersonate User<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Import Library Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->In-memory Password Store<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Inbound Internet DNS Response Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Inbound Internet Mail Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Inbound Internet Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Inbound Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Init Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Input Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Instant Messaging Client<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Integration Test Execution Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Internet DNS Lookup<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Internet File Transfer Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Internet Network<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Internet Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Internet Persona<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Interprocess Communication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet Administrative Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet DNS Lookup<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet File Transfer Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet IPC Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet Multicast Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet Network<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet RPC Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intranet Web Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intrusion Detection System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Intrusion Prevention System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Java Archive<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->JavaScript Blob<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Job Schedule<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Job Scheduler Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kerberos Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kerberos Ticket Granting Service Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kerberos Ticket Granting Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kerberos Ticket Granting Ticket Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kernel<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kernel API Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kernel Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kernel Process Table<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Keyboard Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Kiosk Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Laptop Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Legacy System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Clone<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Clone3<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Clone3 Argument CLONE_THREAD<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Clone Argument CLONE_THREAD<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Connect<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Creat<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Delete Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Execve<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Execveat<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Fork<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Init Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Kill Argument SIGKILL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Mmap<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Mmap2<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Munmap<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Open Argument O_CREAT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux OpenAt2 Argument O_CREAT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux OpenAt Argument O_CREAT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Pause Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Pause Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_ATTACH<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_CONT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_GETREGS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_INTERRUPT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_PEEKTEXT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_POKETEXT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_SETREGS<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_DETACH<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Ptrace Argument PTRACE_TRACEME<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Read<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Readv<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Rename<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Renameat<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Renameat2<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Socket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Socketcall Argument SYS_CONNECT<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Socketcall Argument SYS_SOCKET<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Time<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Unlink<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Unlinkat<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Vfork<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Write<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux Writev<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Linux _Exit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Load Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Area Network<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Area Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Authentication Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Authorization Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local Resource Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Local User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Log File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Log Message Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Logical Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Login Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Logon User<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->MAC Address<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->MacOS Keychain<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mail Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mail Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mail Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mathematical Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Media Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Address<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Address Space<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Allocation Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Block<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Extent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Free Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Management Unit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Management Unit Component<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Pool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Protection Unit<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Memory Word<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Message Transfer Agent<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Metadata<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Microcode<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Microsoft HTML Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mobile Phone<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Modem<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Mouse Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Move File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Multimedia Document File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->NTFS Hard Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->NTFS Junction Point<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->NTFS Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->NTFS Symbolic Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Named Pipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Card Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Directory Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network File Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network File Share Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Flow<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Flow Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Init Script File Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Interface Card<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Node<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Packet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Printer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Protocol Analyzer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Resource Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Scanner<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Time Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Network Traffic Analysis Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Access Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Allocate Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Connect Socket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Copy Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Create File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Create Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Create Socket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Create Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Delete File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Exec<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Free Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Get System Time<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Get Thread Context<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Load Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Move File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Open File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Read File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Read Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Resume Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Resume Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Save Registers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Set Registers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Set Thread Context<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Suspend Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Suspend Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API System Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Terminate Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Trace Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Trace Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Unload Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Write File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OS API Write Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT Actuator<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT Controller<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT Embedded Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT I/O Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT Power Supply<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->OT Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Object File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Office Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Office Application File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Open File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Configuration Component<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Configuration File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Executable File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Log File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Packaging Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operating System Shared Library File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Operations Center Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Optical Disc Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Optical Modem<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Orchestration Controller<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Orchestration Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Orchestration Worker<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet DNS Lookup Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Encrypted Remote Terminal Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Encrypted Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Encrypted Web Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet File Transfer Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Mail Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet RPC Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Internet Web Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Outbound Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Output Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->POSIX Symbolic Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Packet Log<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Page<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Page Frame<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Page Table<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Parent Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Partition<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Partition Table<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Password<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Password Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Password File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Password Manager<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Password Store<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Peripheral Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Peripheral Hub Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Personal Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Physical Address<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Physical Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Pipe<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Pointer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Pointer Dereferencing Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->PowerShell Profile Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Power Supply<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Primary Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Print Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Private Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Privileged User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Code Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Data Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Environment Variable<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Start Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Process Tree<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Processor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Processor Component<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Processor Register<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Property List File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Proxy Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Public Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Python Package<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Python Script File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RAM<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RDP Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RF Node<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RF Receiver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RF Transceiver<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RF Transmitter<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->ROM<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->RPC Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Radio Modem<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Raw Memory Access Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Read File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Read Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Authentication Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Authorization Service<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Command<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Database Query<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Login Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Procedure Call<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Remote Terminal Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Removable Media Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Repository<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Resource Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Resource Fork<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Resume Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Resume Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Reverse Proxy Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Router<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->SSH Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Save Registers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Saved Instruction Pointer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Scheduled Job<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Script Application Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Second-stage Boot Loader<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Secondary Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Security Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Serialization Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Service Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Service Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Service Application Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Service Dependency<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Session<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Session Cookie<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Session Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Set Registers<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Set System Config Value<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Set Thread Context<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shadow Stack<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shared Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shared Library File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shared Resource Access Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shim<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shim Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Shortcut File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Slow Symbolic Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Artifact Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Deployment Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Library<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Library File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Package<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Packaging Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Patch<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Software Repository<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Source Code Analyzer Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Stack Component<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Stack Frame<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Stack Frame Canary<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Stack Segment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Startup Directory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Static Analysis Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Storage Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Storage Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Stored Procedure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->String Format Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Subroutine<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Suspend Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Suspend Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Switch<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Symbolic Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Symmetric Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Call<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Config System Call<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Configuration Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Configuration Database Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Configuration Init Database Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Configuration Init Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Dependency<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Firewall Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Firmware<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Init Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Init Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Init Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Password Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Service Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Startup Directory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System State Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Time Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->System Utilization Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->TFTP Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->TFTP Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Tablet Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Terminate Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Tertiary Storage<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Test Execution Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Thin Client Computer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Thread Start Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Ticket Granting Ticket<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Trace Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Trace Thread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Transducer Sensor<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Translation Lookaside Buffer<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Transport Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Trust Store<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->URL<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Unit Test Execution Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Unix Hard Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Unix Link<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Unload Module<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Action<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Behavior<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Group<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Init Configuration File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Init Script<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Input Function<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Interface<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Logon Init Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Process<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Profile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Startup Directory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User Startup Script File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->User to User Message<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Utility Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Virtual Machine Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->VPN Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Version Control Tool<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Video Input Device<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Virtual Address<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Virtual Memory Space<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Virtualization Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Volume<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Volume Boot Record<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Volume Snapshot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web API Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Access Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Application Firewall<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Application Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web File Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Identity Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Network Traffic<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Resource Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Script File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Server<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Web Server Application<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Wide Area Network<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows OpenFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows CreateFileA<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows CreateProcessA<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows CreateRemoteThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows CreateThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows DeleteFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows DuplicateToken<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows GetThreadContext<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtGetThreadContext<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtAllocateVirtualMemory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtAllocateVirtualMemoryEx<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateMailslotFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateNamedPipeFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreatePagingFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateProcessEx<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtCreateThreadEx<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtDeleteFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtDuplicateToken<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtFlushInstructionCache<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtFreeVirtualMemory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtOpenFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtOpenProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtOpenThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtProtectVirtualMemory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtQuerySystemTime<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtReadFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtReadFileScatter<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtResumeThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtSetInformationFile Argument FileDispositionInformation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtSetThreadContext<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtSuspendProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtSuspendThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtTerminateProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtWriteFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtWriteFileGather<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows NtWriteVirtualMemory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows OpenProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows OpenThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows QueryPerformanceCounter<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows ReadFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows Registry<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows Registry Key<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows Registry Value<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows ResumeThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows SetThreadContext<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows Shortcut File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows SuspendThread<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows TerminateProcess<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows VirtualAllocEx<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows VirtualFree<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows VirtualProtectEx<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows WriteFile<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Windows WriteProcessMemory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Wireless Access Point<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Wireless Router<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Write File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Write Memory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->Zero Client Computer<!-- HTML_TAG_END --> </div> </div></div> </div></span> <span id="defensive" class="right"><div class="autocomplete select is-fullwidth sautocomplete-914 svelte-75ckfb"><select class="svelte-75ckfb"></select> <div class="input-container svelte-75ckfb"> <input type="text" class=" input autocomplete-input svelte-75ckfb" id="" autocomplete="off" placeholder="D3FEND Lookup" tabindex="0"> </div> <div class=" autocomplete-list hidden is-fullwidth svelte-75ckfb"> <div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AMED - Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AM - Access Modeling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-APA - Access Policy Administration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AL - Account Locking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ACA - Active Certificate Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ALLM - Active Logical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-APLM - Active Physical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ANAA - Administrative Network Activity Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AA - Agent Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ABPI - Application-based Process Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ACH - Application Configuration Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AH - Application Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AI - Asset Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AVE - Asset Vulnerability Enumeration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ANCI - Authentication Cache Invalidation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ANET - Authentication Event Thresholding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-AZET - Authorization Event Thresholding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-BAN - Biometric Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-BA - Bootloader Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-BDI - Broadcast Domain Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-BSE - Byte Sequence Emulation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CBAN - Certificate-based Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CA - Certificate Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CP - Certificate Pinning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CERO - Certificate Rotation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CSPP - Client-server Payload Profiling<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CI - Configuration Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CHN - Connected Honeynet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CAA - Connection Attempt Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CIA - Container Image Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CCSA - Credential Compromise Scope Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CE - Credential Eviction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CH - Credential Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CR - Credential Revocation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CRO - Credential Rotation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CS - Credential Scrubbing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-CTS - Credential Transmission Scoping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNSAL - DNS Allowlisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNSCE - DNS Cache Eviction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNSDL - DNS Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNSTA - DNS Traffic Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DEM - Data Exchange Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DI - Data Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DQSA - Database Query String Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DCE - Dead Code Elimination<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DE - Decoy Environment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DF - Decoy File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNR - Decoy Network Resource<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DO - Decoy Object<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DP - Decoy Persona<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DPR - Decoy Public Release<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DST - Decoy Session Token<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DUC - Decoy User Credential<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DPLM - Direct Physical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DENCR - Disk Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DKE - Disk Erasure<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DKF - Disk Formatting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DKP - Disk Partitioning<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DAM - Domain Account Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DNRA - Domain Name Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DRT - Domain Registration Takedown<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DTP - Domain Trust Policy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DLIC - Driver Load Integrity Checking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-DA - Dynamic Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EF - Email Filtering<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ER - Email Removal<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EFA - Emulated File Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ET - Encrypted Tunnels<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EBWSAM - Endpoint-based Web Server Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EHB - Endpoint Health Beacon<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EHPV - Exception Handler Pointer Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EAL - Executable Allowlisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EDL - Executable Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-EI - Execution Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FAPA - File Access Pattern Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FA - File Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FC - File Carving<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FCOA - File Content Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FCR - File Content Rules<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FCA - File Creation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FE - File Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FEV - File Eviction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FHRA - File Hash Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FH - File Hashing<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FIM - File Integrity Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FBA - Firmware Behavior Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FEMC - Firmware Embedded Monitoring Code<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FV - Firmware Verification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FRDDL - Forward Resolution Domain Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-FRIDL - Forward Resolution IP Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HBPI - Hardware-based Process Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HCI - Hardware Component Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HDDL - Hierarchical Domain Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HDL - Homoglyph Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HD - Homoglyph Detection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HR - Host Reboot<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-HS - Host Shutdown<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IOPR - IO Port Restriction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IPCTA - IPC Traffic Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IPRA - IP Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IAA - Identifier Activity Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ID - Identifier Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IRA - Identifier Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ISVA - Inbound Session Volume Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ITF - Inbound Traffic Filtering<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IBCA - Indirect Branch Call Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IDA - Input Device Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IRV - Integer Range Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-IHN - Integrated Honeynet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-JFAPA - Job Function Access Pattern Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-KBPI - Kernel-based Process Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-LAMED - LAN Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-LAM - Local Account Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-LFAM - Local File Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-LFP - Local File Permissions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-LLM - Logical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MBSV - Memory Block Start Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MBT - Memory Boundary Tracking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MA - Message Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MAN - Message Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MENCR - Message Encryption<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MH - Message Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-MFA - Multi-factor Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NAM - Network Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NI - Network Isolation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NM - Network Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NNI - Network Node Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NRAM - Network Resource Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NTA - Network Traffic Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NTCD - Network Traffic Community Deviation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NTF - Network Traffic Filtering<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NTPM - Network Traffic Policy Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NTSA - Network Traffic Signature Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NVA - Network Vulnerability Assessment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-NPC - Null Pointer Checking<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OE - Object Eviction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OTP - One-time Password<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OSM - Operating System Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OAM - Operational Activity Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ODM - Operational Dependency Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ORA - Operational Risk Assessment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OM - Organization Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-OTF - Outbound Traffic Filtering<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PCA - Passive Certificate Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PLLM - Passive Logical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PWA - Password Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PR - Password Rotation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PHDURA - Per Host Download-Upload Ratio Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PFV - Peripheral Firmware Verification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PAM - Physical Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PLM - Physical Link Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PH - Platform Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PM - Platform Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PAN - Pointer Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PV - Pointer Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PA - Process Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PCSV - Process Code Segment Verification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PE - Process Eviction<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PLA - Process Lineage Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PSEP - Process Segment Execution Prevention<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PSMD - Process Self-Modification Detection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PSA - Process Spawn Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PS - Process Suspension<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PT - Process Termination<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PMAD - Protocol Metadata Anomaly Detection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-PBWSAM - Proxy-based Web Server Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RFS - RF Shielding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RTA - RPC Traffic Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RN - Reference Nullification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RKD - Registry Key Deletion<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RIC - Reissue Credential<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RPA - Relay Pattern Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RFAM - Remote File Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RTSD - Remote Terminal Session Detection<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RAPA - Resource Access Pattern Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RA - Restore Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RC - Restore Configuration<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RD - Restore Database<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RDI - Restore Disk Image<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RE - Restore Email<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RF - Restore File<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RNA - Restore Network Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RO - Restore Object<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RS - Restore Software<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RUAA - Restore User Account Access<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RRID - Reverse Resolution IP Denylisting<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-RAM - Routing Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SJA - Scheduled Job Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SEA - Script Execution Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SAOR - Segment Address Offset Randomization<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SMRA - Sender MTA Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SRA - Sender Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SBV - Service Binary Verification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SVCDM - Service Dependency Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SDA - Session Duration Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ST - Session Termination<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SSC - Shadow Stack Comparisons<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SWI - Software Inventory<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SU - Software Update<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SCH - Source Code Hardening<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SFCV - Stack Frame Canary Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SHN - Standalone Honeynet<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SPP - Strong Password Policy<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SCA - System Call Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SCF - System Call Filtering<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SCP - System Configuration Permissions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SDM - System Daemon Monitoring<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SYSDM - System Dependency Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SFA - System File Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SFV - System Firmware Verification<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SICA - System Init Config Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SYSM - System Mapping<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-SYSVA - System Vulnerability Assessment<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-TBI - TPM Boot Integrity<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-TBA - Token-based Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-TB - Token Binding<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-TAAN - Transfer Agent Authentication<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-TL - Trusted Library<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-UA - URL Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-URA - URL Reputation Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-ULA - Unlock Account<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-UAP - User Account Permissions<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-UBA - User Behavior Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-UDTA - User Data Transfer Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-UGLPA - User Geolocation Logon Pattern Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-USICA - User Session Init Config Analysis<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-VI - Variable Initialization<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-VTV - Variable Type Validation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-WSAM - Web Session Access Mediation<!-- HTML_TAG_END --> </div><div class="autocomplete-list-item svelte-75ckfb"> <!-- HTML_TAG_START -->D3-WSAA - Web Session Activity Analysis<!-- HTML_TAG_END --> </div> </div></div> </span></div> <main class="svelte-51re1e"> <main class="svelte-1o0n9td"> <section class="svelte-1o0n9td"> </section> </main> </main> </div></main> <footer class="svelte-anufko"><div class="svelte-fefdvk" data-svelte-h="svelte-x5mv02"><p class="text-small">Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the <a href="/tou">Terms of Use</a>. Use of the MITRE D3FEND website is subject to the
<a href="/privacy">MITRE D3FEND Privacy Policy</a>. MITRE D3FEND is funded
by the
<a target="_blank" rel="" href="https://www.nsa.gov/">National Security Agency</a>
(NSA)
<a target="_blank" href="https://www.nsa.gov/what-we-do/cybersecurity/">Cybersecurity Directorate</a>
and managed by the
<a href="https://www.mitre.org/centers/national-security-and-engineering-center/who-we-are" target="_blank" rel="noopener noreferrer">National Security Engineering Center</a>
(NSEC) which is operated by
<a target="_blank" rel="noopener noreferrer" href="http://www.mitre.org/">The MITRE Corporation</a>. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE
Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of
The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK
<a href="https://attack.mitre.org/resources/terms-of-use/">terms of use</a>.
This software was produced for the U. S. Government under Basic Contract No.
W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer
Software and Noncommercial Computer Software Documentation Clause
252.227-7014 (FEB 2012)
<br>© 2025 The MITRE Corporation.
<br>Approved for Public Release; Distribution Unlimited #20-2338 and #23-1207.</p> </div> </footer>
<script type="application/json" data-sveltekit-fetched data-url="/api/matrix.json">{"status":200,"statusText":"","headers":{},"body":"[{\"@id\":\"d3f:Model\",\"children\":[{\"@id\":\"d3f:AssetInventory\",\"children\":[{\"@id\":\"d3f:ConfigurationInventory\",\"d3f:d3fend-id\":\"D3-CI\",\"d3f:definition\":\"Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Configuration Inventory\"},{\"@id\":\"d3f:DataInventory\",\"d3f:d3fend-id\":\"D3-DI\",\"d3f:definition\":\"Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Data Inventory\"},{\"@id\":\"d3f:SoftwareInventory\",\"d3f:d3fend-id\":\"D3-SWI\",\"d3f:definition\":\"Software inventorying identifies and records the software items in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Software Inventory\"},{\"@id\":\"d3f:AssetVulnerabilityEnumeration\",\"children\":[{\"@id\":\"d3f:ContainerImageAnalysis\",\"d3f:d3fend-id\":\"D3-CIA\",\"d3f:definition\":\"Analyzing a Container Image with respect to a set of policies.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Container Image Analysis\"}],\"d3f:d3fend-id\":\"D3-AVE\",\"d3f:definition\":\"Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Asset Vulnerability Enumeration\"},{\"@id\":\"d3f:NetworkNodeInventory\",\"d3f:d3fend-id\":\"D3-NNI\",\"d3f:definition\":\"Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Network Node Inventory\"},{\"@id\":\"d3f:HardwareComponentInventory\",\"d3f:d3fend-id\":\"D3-HCI\",\"d3f:definition\":\"Hardware component inventorying identifies and records the hardware items in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Hardware Component Inventory\"}],\"d3f:d3fend-id\":\"D3-AI\",\"d3f:definition\":\"Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\",\"rdfs:label\":\"Asset Inventory\"},{\"@id\":\"d3f:NetworkMapping\",\"children\":[{\"@id\":\"d3f:LogicalLinkMapping\",\"children\":[{\"@id\":\"d3f:ActiveLogicalLinkMapping\",\"d3f:d3fend-id\":\"D3-ALLM\",\"d3f:definition\":\"Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Active Logical Link Mapping\"},{\"@id\":\"d3f:PassiveLogicalLinkMapping\",\"d3f:d3fend-id\":\"D3-PLLM\",\"d3f:definition\":\"Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Passive Logical Link Mapping\"}],\"d3f:d3fend-id\":\"D3-LLM\",\"d3f:definition\":\"Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Logical Link Mapping\"},{\"@id\":\"d3f:NetworkVulnerabilityAssessment\",\"d3f:d3fend-id\":\"D3-NVA\",\"d3f:definition\":\"Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.\",\"rdfs:label\":\"Network Vulnerability Assessment\"},{\"@id\":\"d3f:PhysicalLinkMapping\",\"children\":[{\"@id\":\"d3f:ActivePhysicalLinkMapping\",\"d3f:d3fend-id\":\"D3-APLM\",\"d3f:definition\":\"Active physical link mapping sends and receives network traffic as a means to map the physical layer.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Active Physical Link Mapping\"},{\"@id\":\"d3f:DirectPhysicalLinkMapping\",\"d3f:d3fend-id\":\"D3-DPLM\",\"d3f:definition\":\"Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Direct Physical Link Mapping\"}],\"d3f:d3fend-id\":\"D3-PLM\",\"d3f:definition\":\"Physical link mapping identifies and models the link connectivity of the network devices within a physical network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Physical Link Mapping\"},{\"@id\":\"d3f:NetworkTrafficPolicyMapping\",\"d3f:d3fend-id\":\"D3-NTPM\",\"d3f:definition\":\"Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Traffic Policy Mapping\"}],\"d3f:d3fend-id\":\"D3-NM\",\"d3f:definition\":\"Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.\",\"rdfs:label\":\"Network Mapping\"},{\"@id\":\"d3f:OperationalActivityMapping\",\"children\":[{\"@id\":\"d3f:AccessModeling\",\"d3f:d3fend-id\":\"D3-AM\",\"d3f:definition\":\"Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Access Modeling\"},{\"@id\":\"d3f:OperationalDependencyMapping\",\"d3f:d3fend-id\":\"D3-ODM\",\"d3f:definition\":\"Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Operational Dependency Mapping\"},{\"@id\":\"d3f:OperationalRiskAssessment\",\"d3f:d3fend-id\":\"D3-ORA\",\"d3f:definition\":\"Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Operational Risk Assessment\"},{\"@id\":\"d3f:OrganizationMapping\",\"d3f:d3fend-id\":\"D3-OM\",\"d3f:definition\":\"Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Organization Mapping\"}],\"d3f:d3fend-id\":\"D3-OAM\",\"d3f:definition\":\"Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Operational Activity Mapping\"},{\"@id\":\"d3f:SystemMapping\",\"children\":[{\"@id\":\"d3f:DataExchangeMapping\",\"d3f:d3fend-id\":\"D3-DEM\",\"d3f:definition\":\"Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Data Exchange Mapping\"},{\"@id\":\"d3f:ServiceDependencyMapping\",\"d3f:d3fend-id\":\"D3-SVCDM\",\"d3f:definition\":\"Service dependency mapping determines the services on which each given service relies.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Service Dependency Mapping\"},{\"@id\":\"d3f:SystemDependencyMapping\",\"d3f:d3fend-id\":\"D3-SYSDM\",\"d3f:definition\":\"System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"System Dependency Mapping\"},{\"@id\":\"d3f:SystemVulnerabilityAssessment\",\"d3f:d3fend-id\":\"D3-SYSVA\",\"d3f:definition\":\"System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"System Vulnerability Assessment\"}],\"d3f:d3fend-id\":\"D3-SYSM\",\"d3f:definition\":\"System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.\",\"rdfs:label\":\"System Mapping\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"-1\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Model\"},{\"@id\":\"d3f:Harden\",\"children\":[{\"@id\":\"d3f:SourceCodeHardening\",\"children\":[{\"@id\":\"d3f:IntegerRangeValidation\",\"d3f:d3fend-id\":\"D3-IRV\",\"d3f:definition\":\"Ensuring that an integer is within a valid range.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Integer Range Validation\"},{\"@id\":\"d3f:PointerValidation\",\"children\":[{\"@id\":\"d3f:MemoryBlockStartValidation\",\"d3f:d3fend-id\":\"D3-MBSV\",\"d3f:definition\":\"Ensuring that a pointer accurately references the beginning of a designated memory block.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Memory Block Start Validation\"},{\"@id\":\"d3f:NullPointerChecking\",\"d3f:d3fend-id\":\"D3-NPC\",\"d3f:definition\":\"Checking if a pointer is NULL.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Null Pointer Checking\"}],\"d3f:d3fend-id\":\"D3-PV\",\"d3f:definition\":\"Ensuring that a pointer variable has the required properties for use.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Pointer Validation\"},{\"@id\":\"d3f:ReferenceNullification\",\"d3f:d3fend-id\":\"D3-RN\",\"d3f:definition\":\"Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Reference Nullification\"},{\"@id\":\"d3f:TrustedLibrary\",\"d3f:d3fend-id\":\"D3-TL\",\"d3f:definition\":\"A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific functions. These libraries are considered reliable and have been vetted for security vulnerabilities, ensuring they do not introduce risks into the application.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Trusted Library\"},{\"@id\":\"d3f:VariableInitialization\",\"d3f:d3fend-id\":\"D3-VI\",\"d3f:definition\":\"Setting variables to a known value before use.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Variable Initialization\"},{\"@id\":\"d3f:VariableTypeValidation\",\"d3f:d3fend-id\":\"D3-VTV\",\"d3f:definition\":\"Ensuring that a variable has the correct type.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Variable Type Validation\"},{\"@id\":\"d3f:CredentialScrubbing\",\"d3f:d3fend-id\":\"D3-CS\",\"d3f:definition\":\"The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Scrubbing\"}],\"d3f:d3fend-id\":\"D3-SCH\",\"d3f:definition\":\"Hardening source code with the intention of making it more difficult to exploit and less error prone.\",\"rdfs:label\":\"Source Code Hardening\"},{\"@id\":\"d3f:CredentialHardening\",\"children\":[{\"@id\":\"d3f:CertificatePinning\",\"d3f:d3fend-id\":\"D3-CP\",\"d3f:definition\":\"Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Certificate Pinning\"},{\"@id\":\"d3f:StrongPasswordPolicy\",\"d3f:d3fend-id\":\"D3-SPP\",\"d3f:definition\":\"Modifying system configuration to increase password strength.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Strong Password Policy\"},{\"@id\":\"d3f:CredentialRotation\",\"children\":[{\"@id\":\"d3f:CertificateRotation\",\"d3f:d3fend-id\":\"D3-CERO\",\"d3f:definition\":\"Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications.\",\"rdfs:label\":\"Certificate Rotation\"},{\"@id\":\"d3f:PasswordRotation\",\"children\":[{\"@id\":\"d3f:One-timePassword\",\"d3f:d3fend-id\":\"D3-OTP\",\"d3f:definition\":\"A one-time password is valid for only one user authentication.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"One-time Password\"}],\"d3f:d3fend-id\":\"D3-PR\",\"d3f:definition\":\"Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Password Rotation\"}],\"d3f:d3fend-id\":\"D3-CRO\",\"d3f:definition\":\"Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Credential Rotation\"},{\"@id\":\"d3f:TokenBinding\",\"d3f:d3fend-id\":\"D3-TB\",\"d3f:definition\":\"Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection.\",\"rdfs:label\":\"Token Binding\"}],\"d3f:d3fend-id\":\"D3-CH\",\"d3f:definition\":\"Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.\",\"rdfs:label\":\"Credential Hardening\"},{\"@id\":\"d3f:AgentAuthentication\",\"children\":[{\"@id\":\"d3f:BiometricAuthentication\",\"d3f:d3fend-id\":\"D3-BAN\",\"d3f:definition\":\"Using biological measures in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Biometric Authentication\"},{\"@id\":\"d3f:Certificate-basedAuthentication\",\"d3f:d3fend-id\":\"D3-CBAN\",\"d3f:definition\":\"Requiring a digital certificate in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Certificate-based Authentication\"},{\"@id\":\"d3f:Multi-factorAuthentication\",\"d3f:d3fend-id\":\"D3-MFA\",\"d3f:definition\":\"Requiring proof of two or more pieces of evidence in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Multi-factor Authentication\"},{\"@id\":\"d3f:Token-basedAuthentication\",\"d3f:d3fend-id\":\"D3-TBA\",\"d3f:definition\":\"Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Token-based Authentication\"},{\"@id\":\"d3f:PasswordAuthentication\",\"d3f:d3fend-id\":\"D3-PWA\",\"d3f:definition\":\"Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Password Authentication\"}],\"d3f:d3fend-id\":\"D3-AA\",\"d3f:definition\":\"Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Agent Authentication\"},{\"@id\":\"d3f:ApplicationHardening\",\"children\":[{\"@id\":\"d3f:ApplicationConfigurationHardening\",\"d3f:d3fend-id\":\"D3-ACH\",\"d3f:definition\":\"Modifying an application's configuration to reduce its attack surface.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Application Configuration Hardening\"},{\"@id\":\"d3f:DeadCodeElimination\",\"d3f:d3fend-id\":\"D3-DCE\",\"d3f:definition\":\"Removing unreachable or \\\"dead code\\\" from compiled source code.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Dead Code Elimination\"},{\"@id\":\"d3f:ExceptionHandlerPointerValidation\",\"d3f:d3fend-id\":\"D3-EHPV\",\"d3f:definition\":\"Validates that a referenced exception handler pointer is a valid exception handler.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Exception Handler Pointer Validation\"},{\"@id\":\"d3f:PointerAuthentication\",\"d3f:d3fend-id\":\"D3-PAN\",\"d3f:definition\":\"Comparing the cryptographic hash or derivative of a pointer's value to an expected value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Pointer Authentication\"},{\"@id\":\"d3f:ProcessSegmentExecutionPrevention\",\"d3f:d3fend-id\":\"D3-PSEP\",\"d3f:definition\":\"Preventing execution of any address in a memory region other than the code segment.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Process Segment Execution Prevention\"},{\"@id\":\"d3f:SegmentAddressOffsetRandomization\",\"d3f:d3fend-id\":\"D3-SAOR\",\"d3f:definition\":\"Randomizing the base (start) address of one or more segments of memory during the initialization of a process.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Segment Address Offset Randomization\"},{\"@id\":\"d3f:StackFrameCanaryValidation\",\"d3f:d3fend-id\":\"D3-SFCV\",\"d3f:definition\":\"Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Stack Frame Canary Validation\"}],\"d3f:d3fend-id\":\"D3-AH\",\"d3f:definition\":\"Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.\",\"rdfs:label\":\"Application Hardening\"},{\"@id\":\"d3f:PlatformHardening\",\"children\":[{\"@id\":\"d3f:BootloaderAuthentication\",\"d3f:d3fend-id\":\"D3-BA\",\"d3f:definition\":\"Cryptographically authenticating the bootloader software before system boot.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Bootloader Authentication\"},{\"@id\":\"d3f:DiskEncryption\",\"d3f:d3fend-id\":\"D3-DENCR\",\"d3f:definition\":\"Encrypting a hard disk partition to prevent cleartext access to a file system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Disk Encryption\"},{\"@id\":\"d3f:DriverLoadIntegrityChecking\",\"d3f:d3fend-id\":\"D3-DLIC\",\"d3f:definition\":\"Ensuring the integrity of drivers loaded during initialization of the operating system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Driver Load Integrity Checking\"},{\"@id\":\"d3f:FileEncryption\",\"d3f:d3fend-id\":\"D3-FE\",\"d3f:definition\":\"Encrypting a file using a cryptographic key.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Encryption\"},{\"@id\":\"d3f:RFShielding\",\"d3f:d3fend-id\":\"D3-RFS\",\"d3f:definition\":\"Adding physical barriers to a platform to prevent undesired radio interference.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"RF Shielding\"},{\"@id\":\"d3f:SoftwareUpdate\",\"d3f:d3fend-id\":\"D3-SU\",\"d3f:definition\":\"Replacing old software on a computer system component.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Software Update\"},{\"@id\":\"d3f:SystemConfigurationPermissions\",\"d3f:d3fend-id\":\"D3-SCP\",\"d3f:definition\":\"Restricting system configuration modifications to a specific user or group of users.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"System Configuration Permissions\"},{\"@id\":\"d3f:TPMBootIntegrity\",\"d3f:d3fend-id\":\"D3-TBI\",\"d3f:definition\":\"Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"TPM Boot Integrity\"}],\"d3f:d3fend-id\":\"D3-PH\",\"d3f:definition\":\"Hardening components of a Platform with the intention of making them more difficult to exploit.\\n\\nPlatforms includes components such as:\\n* BIOS UEFI Subsystems\\n* Hardware security devices such as Trusted Platform Modules\\n* Boot process logic or code\\n* Kernel software components\",\"rdfs:label\":\"Platform Hardening\"},{\"@id\":\"d3f:MessageHardening\",\"children\":[{\"@id\":\"d3f:MessageAuthentication\",\"d3f:d3fend-id\":\"D3-MAN\",\"d3f:definition\":\"Authenticating the sender of a message and ensuring message integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Message Authentication\"},{\"@id\":\"d3f:MessageEncryption\",\"d3f:d3fend-id\":\"D3-MENCR\",\"d3f:definition\":\"Encrypting a message body using a cryptographic key.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Message Encryption\"},{\"@id\":\"d3f:TransferAgentAuthentication\",\"d3f:d3fend-id\":\"D3-TAAN\",\"d3f:definition\":\"Validating that server components of a messaging infrastructure are authorized to send a particular message.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Transfer Agent Authentication\"}],\"d3f:d3fend-id\":\"D3-MH\",\"d3f:definition\":\"Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.\",\"rdfs:label\":\"Message Hardening\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Harden\"},{\"@id\":\"d3f:Detect\",\"children\":[{\"@id\":\"d3f:FileAnalysis\",\"children\":[{\"@id\":\"d3f:DynamicAnalysis\",\"d3f:d3fend-id\":\"D3-DA\",\"d3f:definition\":\"Executing or opening a file in a synthetic \\\"sandbox\\\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Dynamic Analysis\"},{\"@id\":\"d3f:EmulatedFileAnalysis\",\"d3f:d3fend-id\":\"D3-EFA\",\"d3f:definition\":\"Emulating instructions in a file looking for specific patterns.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Emulated File Analysis\"},{\"@id\":\"d3f:FileHashing\",\"d3f:d3fend-id\":\"D3-FH\",\"d3f:definition\":\"Employing file hash comparisons to detect known malware.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Hashing\"},{\"@id\":\"d3f:FileContentAnalysis\",\"children\":[{\"@id\":\"d3f:FileContentRules\",\"d3f:d3fend-id\":\"D3-FCR\",\"d3f:definition\":\"Employing a pattern matching rule language to analyze the content of files.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"File Content Rules\"}],\"d3f:d3fend-id\":\"D3-FCOA\",\"d3f:definition\":\"Employing a pattern matching algorithm to statically analyze the content of files.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Content Analysis\"}],\"d3f:d3fend-id\":\"D3-FA\",\"d3f:definition\":\"File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.\",\"rdfs:label\":\"File Analysis\"},{\"@id\":\"d3f:NetworkTrafficAnalysis\",\"children\":[{\"@id\":\"d3f:AdministrativeNetworkActivityAnalysis\",\"d3f:d3fend-id\":\"D3-ANAA\",\"d3f:definition\":\"Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Administrative Network Activity Analysis\"},{\"@id\":\"d3f:ByteSequenceEmulation\",\"d3f:d3fend-id\":\"D3-BSE\",\"d3f:definition\":\"Analyzing sequences of bytes and determining if they likely represent malicious shellcode.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Byte Sequence Emulation\"},{\"@id\":\"d3f:CertificateAnalysis\",\"children\":[{\"@id\":\"d3f:ActiveCertificateAnalysis\",\"d3f:d3fend-id\":\"D3-ACA\",\"d3f:definition\":\"Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Active Certificate Analysis\"},{\"@id\":\"d3f:PassiveCertificateAnalysis\",\"d3f:d3fend-id\":\"D3-PCA\",\"d3f:definition\":\"Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Passive Certificate Analysis\"}],\"d3f:d3fend-id\":\"D3-CA\",\"d3f:definition\":\"Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Certificate Analysis\"},{\"@id\":\"d3f:Client-serverPayloadProfiling\",\"d3f:d3fend-id\":\"D3-CSPP\",\"d3f:definition\":\"Comparing client-server request and response payloads to a baseline profile to identify outliers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Client-server Payload Profiling\"},{\"@id\":\"d3f:ConnectionAttemptAnalysis\",\"d3f:d3fend-id\":\"D3-CAA\",\"d3f:definition\":\"Analyzing failed connections in a network to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Connection Attempt Analysis\"},{\"@id\":\"d3f:DNSTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-DNSTA\",\"d3f:definition\":\"Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"DNS Traffic Analysis\"},{\"@id\":\"d3f:FileCarving\",\"d3f:d3fend-id\":\"D3-FC\",\"d3f:definition\":\"Identifying and extracting files from network application protocols through the use of network stream reassembly software.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Carving\"},{\"@id\":\"d3f:InboundSessionVolumeAnalysis\",\"d3f:d3fend-id\":\"D3-ISVA\",\"d3f:definition\":\"Analyzing inbound network session or connection attempt volume.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Inbound Session Volume Analysis\"},{\"@id\":\"d3f:IPCTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-IPCTA\",\"d3f:definition\":\"Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"7\"},\"rdfs:label\":\"IPC Traffic Analysis\"},{\"@id\":\"d3f:NetworkTrafficCommunityDeviation\",\"d3f:d3fend-id\":\"D3-NTCD\",\"d3f:definition\":\"Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Traffic Community Deviation\"},{\"@id\":\"d3f:PerHostDownload-UploadRatioAnalysis\",\"d3f:d3fend-id\":\"D3-PHDURA\",\"d3f:definition\":\"Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Per Host Download-Upload Ratio Analysis\"},{\"@id\":\"d3f:ProtocolMetadataAnomalyDetection\",\"d3f:d3fend-id\":\"D3-PMAD\",\"d3f:definition\":\"Collecting network communication protocol metadata and identifying statistical outliers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Protocol Metadata Anomaly Detection\"},{\"@id\":\"d3f:RelayPatternAnalysis\",\"d3f:d3fend-id\":\"D3-RPA\",\"d3f:definition\":\"The detection of an internal host relaying traffic between the internal network and the external network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Relay Pattern Analysis\"},{\"@id\":\"d3f:RemoteTerminalSessionDetection\",\"d3f:d3fend-id\":\"D3-RTSD\",\"d3f:definition\":\"Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Remote Terminal Session Detection\"},{\"@id\":\"d3f:RPCTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-RTA\",\"d3f:definition\":\"Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"8\"},\"rdfs:label\":\"RPC Traffic Analysis\"},{\"@id\":\"d3f:NetworkTrafficSignatureAnalysis\",\"d3f:d3fend-id\":\"D3-NTSA\",\"d3f:definition\":\"Analyzing network traffic and compares it to known signatures\",\"rdfs:label\":\"Network Traffic Signature Analysis\"}],\"d3f:d3fend-id\":\"D3-NTA\",\"d3f:definition\":\"Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.\",\"rdfs:label\":\"Network Traffic Analysis\"},{\"@id\":\"d3f:PlatformMonitoring\",\"children\":[{\"@id\":\"d3f:FirmwareBehaviorAnalysis\",\"d3f:d3fend-id\":\"D3-FBA\",\"d3f:definition\":\"Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Firmware Behavior Analysis\"},{\"@id\":\"d3f:FirmwareEmbeddedMonitoringCode\",\"d3f:d3fend-id\":\"D3-FEMC\",\"d3f:definition\":\"Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Firmware Embedded Monitoring Code\"},{\"@id\":\"d3f:FirmwareVerification\",\"children\":[{\"@id\":\"d3f:PeripheralFirmwareVerification\",\"d3f:d3fend-id\":\"D3-PFV\",\"d3f:definition\":\"Cryptographically verifying peripheral firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Peripheral Firmware Verification\"},{\"@id\":\"d3f:SystemFirmwareVerification\",\"d3f:d3fend-id\":\"D3-SFV\",\"d3f:definition\":\"Cryptographically verifying installed system firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"System Firmware Verification\"}],\"d3f:d3fend-id\":\"D3-FV\",\"d3f:definition\":\"Cryptographically verifying firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Firmware Verification\"},{\"@id\":\"d3f:OperatingSystemMonitoring\",\"children\":[{\"@id\":\"d3f:EndpointHealthBeacon\",\"d3f:d3fend-id\":\"D3-EHB\",\"d3f:definition\":\"Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Endpoint Health Beacon\"},{\"@id\":\"d3f:InputDeviceAnalysis\",\"d3f:d3fend-id\":\"D3-IDA\",\"d3f:definition\":\"Operating system level mechanisms to prevent abusive input device exploitation.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Input Device Analysis\"},{\"@id\":\"d3f:MemoryBoundaryTracking\",\"d3f:d3fend-id\":\"D3-MBT\",\"d3f:definition\":\"Analyzing a call stack for return addresses which point to unexpected memory locations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Memory Boundary Tracking\"},{\"@id\":\"d3f:ScheduledJobAnalysis\",\"d3f:d3fend-id\":\"D3-SJA\",\"d3f:definition\":\"Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Scheduled Job Analysis\"},{\"@id\":\"d3f:SystemDaemonMonitoring\",\"d3f:d3fend-id\":\"D3-SDM\",\"d3f:definition\":\"Tracking changes to the state or configuration of critical system level processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System Daemon Monitoring\"},{\"@id\":\"d3f:SystemFileAnalysis\",\"children\":[{\"@id\":\"d3f:ServiceBinaryVerification\",\"d3f:d3fend-id\":\"D3-SBV\",\"d3f:definition\":\"Analyzing changes in service binary files by comparing to a source of truth.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Service Binary Verification\"}],\"d3f:d3fend-id\":\"D3-SFA\",\"d3f:definition\":\"Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System File Analysis\"},{\"@id\":\"d3f:SystemInitConfigAnalysis\",\"d3f:d3fend-id\":\"D3-SICA\",\"d3f:definition\":\"Analysis of any system process startup configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System Init Config Analysis\"},{\"@id\":\"d3f:UserSessionInitConfigAnalysis\",\"d3f:d3fend-id\":\"D3-USICA\",\"d3f:definition\":\"Analyzing modifications to user session config files such as .bashrc or .bash_profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"User Session Init Config Analysis\"}],\"d3f:d3fend-id\":\"D3-OSM\",\"d3f:definition\":\"The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Operating System Monitoring\"},{\"@id\":\"d3f:FileIntegrityMonitoring\",\"d3f:d3fend-id\":\"D3-FIM\",\"d3f:definition\":\"Detecting any suspicious changes to files in a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"File Integrity Monitoring\"}],\"d3f:d3fend-id\":\"D3-PM\",\"d3f:definition\":\"Monitoring platform components such as operating systems software, hardware devices, or firmware.\",\"rdfs:label\":\"Platform Monitoring\"},{\"@id\":\"d3f:IdentifierAnalysis\",\"children\":[{\"@id\":\"d3f:HomoglyphDetection\",\"d3f:d3fend-id\":\"D3-HD\",\"d3f:definition\":\"Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Homoglyph Detection\"},{\"@id\":\"d3f:URLAnalysis\",\"d3f:d3fend-id\":\"D3-UA\",\"d3f:definition\":\"Determining if a URL is benign or malicious by analyzing the URL or its components.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"URL Analysis\"},{\"@id\":\"d3f:IdentifierReputationAnalysis\",\"children\":[{\"@id\":\"d3f:DomainNameReputationAnalysis\",\"d3f:d3fend-id\":\"D3-DNRA\",\"d3f:definition\":\"Analyzing the reputation of a domain name.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Domain Name Reputation Analysis\"},{\"@id\":\"d3f:FileHashReputationAnalysis\",\"d3f:d3fend-id\":\"D3-FHRA\",\"d3f:definition\":\"Analyzing the reputation of a file hash.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Hash Reputation Analysis\"},{\"@id\":\"d3f:IPReputationAnalysis\",\"d3f:d3fend-id\":\"D3-IPRA\",\"d3f:definition\":\"Analyzing the reputation of an IP address.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"IP Reputation Analysis\"},{\"@id\":\"d3f:URLReputationAnalysis\",\"d3f:d3fend-id\":\"D3-URA\",\"d3f:definition\":\"Analyzing the reputation of a URL.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"URL Reputation Analysis\"}],\"d3f:d3fend-id\":\"D3-IRA\",\"d3f:definition\":\"Analyzing the reputation of an identifier.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Identifier Reputation Analysis\"},{\"@id\":\"d3f:IdentifierActivityAnalysis\",\"d3f:d3fend-id\":\"D3-IAA\",\"d3f:definition\":\"Taking known malicious identifiers and determining if they are present in a system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Identifier Activity Analysis\"}],\"d3f:d3fend-id\":\"D3-ID\",\"d3f:definition\":\"Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.\",\"rdfs:label\":\"Identifier Analysis\"},{\"@id\":\"d3f:MessageAnalysis\",\"children\":[{\"@id\":\"d3f:SenderMTAReputationAnalysis\",\"d3f:d3fend-id\":\"D3-SMRA\",\"d3f:definition\":\"Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Sender MTA Reputation Analysis\"},{\"@id\":\"d3f:SenderReputationAnalysis\",\"d3f:d3fend-id\":\"D3-SRA\",\"d3f:definition\":\"Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Sender Reputation Analysis\"}],\"d3f:d3fend-id\":\"D3-MA\",\"d3f:definition\":\"Analyzing email or instant message content to detect unauthorized activity.\",\"rdfs:label\":\"Message Analysis\"},{\"@id\":\"d3f:ProcessAnalysis\",\"children\":[{\"@id\":\"d3f:DatabaseQueryStringAnalysis\",\"d3f:d3fend-id\":\"D3-DQSA\",\"d3f:definition\":\"Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Database Query String Analysis\"},{\"@id\":\"d3f:FileAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-FAPA\",\"d3f:definition\":\"Analyzing the files accessed by a process to identify unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Access Pattern Analysis\"},{\"@id\":\"d3f:IndirectBranchCallAnalysis\",\"d3f:d3fend-id\":\"D3-IBCA\",\"d3f:definition\":\"Analyzing vendor specific branch call recording in order to detect ROP style attacks.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Indirect Branch Call Analysis\"},{\"@id\":\"d3f:ProcessCodeSegmentVerification\",\"d3f:d3fend-id\":\"D3-PCSV\",\"d3f:definition\":\"Comparing the \\\"text\\\" or \\\"code\\\" memory segments to a source of truth.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Process Code Segment Verification\"},{\"@id\":\"d3f:ProcessSelf-ModificationDetection\",\"d3f:d3fend-id\":\"D3-PSMD\",\"d3f:definition\":\"Detects processes that modify, change, or replace their own code at runtime.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Process Self-Modification Detection\"},{\"@id\":\"d3f:ProcessSpawnAnalysis\",\"children\":[{\"@id\":\"d3f:ProcessLineageAnalysis\",\"d3f:d3fend-id\":\"D3-PLA\",\"d3f:definition\":\"Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"18\"},\"rdfs:label\":\"Process Lineage Analysis\"}],\"d3f:d3fend-id\":\"D3-PSA\",\"d3f:definition\":\"Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"42\"},\"rdfs:label\":\"Process Spawn Analysis\"},{\"@id\":\"d3f:ScriptExecutionAnalysis\",\"d3f:d3fend-id\":\"D3-SEA\",\"d3f:definition\":\"Analyzing the execution of a script to detect unauthorized user activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Script Execution Analysis\"},{\"@id\":\"d3f:ShadowStackComparisons\",\"d3f:d3fend-id\":\"D3-SSC\",\"d3f:definition\":\"Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Shadow Stack Comparisons\"},{\"@id\":\"d3f:SystemCallAnalysis\",\"children\":[{\"@id\":\"d3f:FileCreationAnalysis\",\"d3f:d3fend-id\":\"D3-FCA\",\"d3f:definition\":\"Analyzing the properties of file create system call invocations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"File Creation Analysis\"}],\"d3f:d3fend-id\":\"D3-SCA\",\"d3f:definition\":\"Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"8\"},\"rdfs:label\":\"System Call Analysis\"}],\"d3f:d3fend-id\":\"D3-PA\",\"d3f:definition\":\"Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.\",\"rdfs:label\":\"Process Analysis\"},{\"@id\":\"d3f:UserBehaviorAnalysis\",\"children\":[{\"@id\":\"d3f:AuthenticationEventThresholding\",\"d3f:d3fend-id\":\"D3-ANET\",\"d3f:definition\":\"Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Authentication Event Thresholding\"},{\"@id\":\"d3f:AuthorizationEventThresholding\",\"d3f:d3fend-id\":\"D3-AZET\",\"d3f:definition\":\"Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Authorization Event Thresholding\"},{\"@id\":\"d3f:CredentialCompromiseScopeAnalysis\",\"d3f:d3fend-id\":\"D3-CCSA\",\"d3f:definition\":\"Determining which credentials may have been compromised by analyzing the user logon history of a particular system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Credential Compromise Scope Analysis\"},{\"@id\":\"d3f:DomainAccountMonitoring\",\"d3f:d3fend-id\":\"D3-DAM\",\"d3f:definition\":\"Monitoring the existence of or changes to Domain User Accounts.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Domain Account Monitoring\"},{\"@id\":\"d3f:JobFunctionAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-JFAPA\",\"d3f:definition\":\"Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Job Function Access Pattern Analysis\"},{\"@id\":\"d3f:LocalAccountMonitoring\",\"d3f:d3fend-id\":\"D3-LAM\",\"d3f:definition\":\"Analyzing local user accounts to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Local Account Monitoring\"},{\"@id\":\"d3f:ResourceAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-RAPA\",\"d3f:definition\":\"Analyzing the resources accessed by a user to identify unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Resource Access Pattern Analysis\"},{\"@id\":\"d3f:SessionDurationAnalysis\",\"d3f:d3fend-id\":\"D3-SDA\",\"d3f:definition\":\"Analyzing the duration of user sessions in order to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Session Duration Analysis\"},{\"@id\":\"d3f:UserDataTransferAnalysis\",\"d3f:d3fend-id\":\"D3-UDTA\",\"d3f:definition\":\"Analyzing the amount of data transferred by a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"User Data Transfer Analysis\"},{\"@id\":\"d3f:UserGeolocationLogonPatternAnalysis\",\"d3f:d3fend-id\":\"D3-UGLPA\",\"d3f:definition\":\"Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"User Geolocation Logon Pattern Analysis\"},{\"@id\":\"d3f:WebSessionActivityAnalysis\",\"d3f:d3fend-id\":\"D3-WSAA\",\"d3f:definition\":\"Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Web Session Activity Analysis\"}],\"d3f:d3fend-id\":\"D3-UBA\",\"d3f:definition\":\"User behavior analytics (\\\"UBA\\\") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.\",\"rdfs:label\":\"User Behavior Analysis\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Detect\"},{\"@id\":\"d3f:Isolate\",\"children\":[{\"@id\":\"d3f:ExecutionIsolation\",\"children\":[{\"@id\":\"d3f:ExecutableAllowlisting\",\"d3f:d3fend-id\":\"D3-EAL\",\"d3f:definition\":\"Using a digital signature to authenticate a file before opening.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Executable Allowlisting\"},{\"@id\":\"d3f:ExecutableDenylisting\",\"d3f:d3fend-id\":\"D3-EDL\",\"d3f:definition\":\"Blocking the execution of files on a host in accordance with defined application policy rules.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Executable Denylisting\"},{\"@id\":\"d3f:Hardware-basedProcessIsolation\",\"d3f:d3fend-id\":\"D3-HBPI\",\"d3f:definition\":\"Preventing one process from writing to the memory space of another process through hardware based address manager implementations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Hardware-based Process Isolation\"},{\"@id\":\"d3f:Kernel-basedProcessIsolation\",\"d3f:d3fend-id\":\"D3-KBPI\",\"d3f:definition\":\"Using kernel-level capabilities to isolate processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Kernel-based Process Isolation\"},{\"@id\":\"d3f:Application-basedProcessIsolation\",\"d3f:d3fend-id\":\"D3-ABPI\",\"d3f:definition\":\"Application code which prevents its own subroutines from accessing intra-process / internal memory space.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Application-based Process Isolation\"}],\"d3f:d3fend-id\":\"D3-EI\",\"d3f:definition\":\"Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.\",\"rdfs:label\":\"Execution Isolation\"},{\"@id\":\"d3f:AccessMediation\",\"children\":[{\"@id\":\"d3f:CredentialTransmissionScoping\",\"d3f:d3fend-id\":\"D3-CTS\",\"d3f:definition\":\"Limiting the transmission of a credential to a scoped set of relying parties.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Transmission Scoping\"},{\"@id\":\"d3f:IOPortRestriction\",\"d3f:d3fend-id\":\"D3-IOPR\",\"d3f:definition\":\"Limiting access to computer input/output (IO) ports to restrict unauthorized devices.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"IO Port Restriction\"},{\"@id\":\"d3f:SystemCallFiltering\",\"children\":[{\"@id\":\"d3f:LocalFileAccessMediation\",\"d3f:d3fend-id\":\"D3-LFAM\",\"d3f:definition\":\"Restricting access to a local file by configuring operating system functionality.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Local File Access Mediation\"}],\"d3f:d3fend-id\":\"D3-SCF\",\"d3f:definition\":\"Controlling access to local computer system resources with kernel-level capabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System Call Filtering\"},{\"@id\":\"d3f:PhysicalAccessMediation\",\"d3f:d3fend-id\":\"D3-PAM\",\"d3f:definition\":\"Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Physical Access Mediation\"},{\"@id\":\"d3f:NetworkAccessMediation\",\"children\":[{\"@id\":\"d3f:LANAccessMediation\",\"d3f:d3fend-id\":\"D3-LAMED\",\"d3f:definition\":\"LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"LAN Access Mediation\"},{\"@id\":\"d3f:RoutingAccessMediation\",\"d3f:d3fend-id\":\"D3-RAM\",\"d3f:definition\":\"Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Routing Access Mediation\"}],\"d3f:d3fend-id\":\"D3-NAM\",\"d3f:definition\":\"Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Access Mediation\"},{\"@id\":\"d3f:NetworkResourceAccessMediation\",\"children\":[{\"@id\":\"d3f:RemoteFileAccessMediation\",\"d3f:d3fend-id\":\"D3-RFAM\",\"d3f:definition\":\"Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Remote File Access Mediation\"},{\"@id\":\"d3f:WebSessionAccessMediation\",\"children\":[{\"@id\":\"d3f:EndpointBasedWebServerAccessMediation\",\"d3f:d3fend-id\":\"D3-EBWSAM\",\"d3f:definition\":\"Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Endpoint-based Web Server Access Mediation\"},{\"@id\":\"d3f:ProxyBasedWebServerAccessMediation\",\"d3f:d3fend-id\":\"D3-PBWSAM\",\"d3f:definition\":\"Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Proxy-based Web Server Access Mediation\"}],\"d3f:d3fend-id\":\"D3-WSAM\",\"d3f:definition\":\"Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Web Session Access Mediation\"}],\"d3f:d3fend-id\":\"D3-NRAM\",\"d3f:definition\":\"Control of access to organizational systems and services by users or processes over a network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Resource Access Mediation\"}],\"d3f:d3fend-id\":\"D3-AMED\",\"d3f:definition\":\"Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Access Mediation\"},{\"@id\":\"d3f:AccessPolicyAdministration\",\"children\":[{\"@id\":\"d3f:DomainTrustPolicy\",\"d3f:d3fend-id\":\"D3-DTP\",\"d3f:definition\":\"Restricting inter-domain trust by modifying domain configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Domain Trust Policy\"},{\"@id\":\"d3f:LocalFilePermissions\",\"d3f:d3fend-id\":\"D3-LFP\",\"d3f:definition\":\"Restricting access to a local file by configuring operating system functionality.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Local File Permissions\"},{\"@id\":\"d3f:UserAccountPermissions\",\"d3f:d3fend-id\":\"D3-UAP\",\"d3f:definition\":\"Restricting a user account's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"User Account Permissions\"}],\"d3f:d3fend-id\":\"D3-APA\",\"d3f:definition\":\"Access policy administration is the systematic process of defining, implementing, and managing access control policies that dictate user permissions to resources.\",\"rdfs:label\":\"Access Policy Administration\"},{\"@id\":\"d3f:NetworkIsolation\",\"children\":[{\"@id\":\"d3f:BroadcastDomainIsolation\",\"d3f:d3fend-id\":\"D3-BDI\",\"d3f:definition\":\"Broadcast isolation restricts the number of computers a host can contact on their LAN.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Broadcast Domain Isolation\"},{\"@id\":\"d3f:DNSAllowlisting\",\"d3f:d3fend-id\":\"D3-DNSAL\",\"d3f:definition\":\"Permitting only approved domains and their subdomains to be resolved.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"DNS Allowlisting\"},{\"@id\":\"d3f:DNSDenylisting\",\"children\":[{\"@id\":\"d3f:ForwardResolutionDomainDenylisting\",\"children\":[{\"@id\":\"d3f:HierarchicalDomainDenylisting\",\"d3f:d3fend-id\":\"D3-HDDL\",\"d3f:definition\":\"Blocking the resolution of any subdomain of a specified domain name.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Hierarchical Domain Denylisting\"},{\"@id\":\"d3f:HomoglyphDenylisting\",\"d3f:d3fend-id\":\"D3-HDL\",\"d3f:definition\":\"Blocking DNS queries that are deceptively similar to legitimate domain names.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Homoglyph Denylisting\"}],\"d3f:d3fend-id\":\"D3-FRDDL\",\"d3f:definition\":\"Blocking a lookup based on the query's domain name value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Forward Resolution Domain Denylisting\"},{\"@id\":\"d3f:ForwardResolutionIPDenylisting\",\"d3f:d3fend-id\":\"D3-FRIDL\",\"d3f:definition\":\"Blocking a DNS lookup's answer's IP address value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Forward Resolution IP Denylisting\"},{\"@id\":\"d3f:ReverseResolutionIPDenylisting\",\"d3f:d3fend-id\":\"D3-RRID\",\"d3f:definition\":\"Blocking a reverse lookup based on the query's IP address value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Reverse Resolution IP Denylisting\"}],\"d3f:d3fend-id\":\"D3-DNSDL\",\"d3f:definition\":\"Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"DNS Denylisting\"},{\"@id\":\"d3f:EncryptedTunnels\",\"d3f:d3fend-id\":\"D3-ET\",\"d3f:definition\":\"Encrypted encapsulation of routable network traffic.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Encrypted Tunnels\"},{\"@id\":\"d3f:NetworkTrafficFiltering\",\"children\":[{\"@id\":\"d3f:InboundTrafficFiltering\",\"children\":[{\"@id\":\"d3f:EmailFiltering\",\"d3f:d3fend-id\":\"D3-EF\",\"d3f:definition\":\"Filtering incoming email traffic based on specific criteria.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Email Filtering\"}],\"d3f:d3fend-id\":\"D3-ITF\",\"d3f:definition\":\"Restricting network traffic originating from untrusted networks destined towards a private host or enclave.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"9\"},\"rdfs:label\":\"Inbound Traffic Filtering\"},{\"@id\":\"d3f:OutboundTrafficFiltering\",\"d3f:d3fend-id\":\"D3-OTF\",\"d3f:definition\":\"Restricting network traffic originating from a private host or enclave destined towards untrusted networks.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Outbound Traffic Filtering\"}],\"d3f:d3fend-id\":\"D3-NTF\",\"d3f:definition\":\"Restricting network traffic originating from any location.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"9\"},\"rdfs:label\":\"Network Traffic Filtering\"}],\"d3f:d3fend-id\":\"D3-NI\",\"d3f:definition\":\"Network Isolation techniques prevent network hosts from accessing non-essential system network resources.\",\"rdfs:label\":\"Network Isolation\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Isolate\"},{\"@id\":\"d3f:Deceive\",\"children\":[{\"@id\":\"d3f:DecoyEnvironment\",\"children\":[{\"@id\":\"d3f:ConnectedHoneynet\",\"d3f:d3fend-id\":\"D3-CHN\",\"d3f:definition\":\"A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Connected Honeynet\"},{\"@id\":\"d3f:IntegratedHoneynet\",\"d3f:d3fend-id\":\"D3-IHN\",\"d3f:definition\":\"The practice of setting decoys in a production environment to entice interaction from attackers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Integrated Honeynet\"},{\"@id\":\"d3f:StandaloneHoneynet\",\"d3f:d3fend-id\":\"D3-SHN\",\"d3f:definition\":\"An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Standalone Honeynet\"}],\"d3f:d3fend-id\":\"D3-DE\",\"d3f:definition\":\"A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.\",\"rdfs:label\":\"Decoy Environment\"},{\"@id\":\"d3f:DecoyObject\",\"children\":[{\"@id\":\"d3f:DecoyFile\",\"d3f:d3fend-id\":\"D3-DF\",\"d3f:definition\":\"A file created for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Decoy File\"},{\"@id\":\"d3f:DecoyNetworkResource\",\"d3f:d3fend-id\":\"D3-DNR\",\"d3f:definition\":\"Deploying a network resource for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Decoy Network Resource\"},{\"@id\":\"d3f:DecoyPersona\",\"d3f:d3fend-id\":\"D3-DP\",\"d3f:definition\":\"Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Decoy Persona\"},{\"@id\":\"d3f:DecoyPublicRelease\",\"d3f:d3fend-id\":\"D3-DPR\",\"d3f:definition\":\"Issuing publicly released media to deceive adversaries.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Decoy Public Release\"},{\"@id\":\"d3f:DecoySessionToken\",\"d3f:d3fend-id\":\"D3-DST\",\"d3f:definition\":\"An authentication token created for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Decoy Session Token\"},{\"@id\":\"d3f:DecoyUserCredential\",\"d3f:d3fend-id\":\"D3-DUC\",\"d3f:definition\":\"A Credential created for the purpose of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Decoy User Credential\"}],\"d3f:d3fend-id\":\"D3-DO\",\"d3f:definition\":\"A Decoy Object is created and deployed for the purposes of deceiving attackers.\",\"rdfs:label\":\"Decoy Object\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Deceive\"},{\"@id\":\"d3f:Evict\",\"children\":[{\"@id\":\"d3f:CredentialEviction\",\"children\":[{\"@id\":\"d3f:AccountLocking\",\"d3f:d3fend-id\":\"D3-AL\",\"d3f:definition\":\"The process of temporarily disabling user accounts on a system or domain.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Account Locking\"},{\"@id\":\"d3f:AuthenticationCacheInvalidation\",\"d3f:d3fend-id\":\"D3-ANCI\",\"d3f:definition\":\"Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Authentication Cache Invalidation\"},{\"@id\":\"d3f:CredentialRevocation\",\"d3f:d3fend-id\":\"D3-CR\",\"d3f:definition\":\"Deleting a set of credentials permanently to prevent them from being used to authenticate.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Revocation\"}],\"d3f:d3fend-id\":\"D3-CE\",\"d3f:definition\":\"Credential Eviction techniques disable or remove compromised credentials from a computer network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Eviction\"},{\"@id\":\"d3f:ObjectEviction\",\"children\":[{\"@id\":\"d3f:FileEviction\",\"children\":[{\"@id\":\"d3f:EmailRemoval\",\"d3f:d3fend-id\":\"D3-ER\",\"d3f:definition\":\"The email removal technique deletes email files from system storage.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Email Removal\"}],\"d3f:d3fend-id\":\"D3-FEV\",\"d3f:definition\":\"File eviction techniques delete files from system storage.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Eviction\"},{\"@id\":\"d3f:DomainRegistrationTakedown\",\"d3f:d3fend-id\":\"D3-DRT\",\"d3f:definition\":\"The process of performing a takedown of the attacker's domain registration infrastructure.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Domain Registration Takedown\"},{\"@id\":\"d3f:DiskFormatting\",\"children\":[{\"@id\":\"d3f:DiskErasure\",\"d3f:d3fend-id\":\"D3-DKE\",\"d3f:definition\":\"Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Disk Erasure\"},{\"@id\":\"d3f:DiskPartitioning\",\"d3f:d3fend-id\":\"D3-DKP\",\"d3f:definition\":\"Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Disk Partitioning\"}],\"d3f:d3fend-id\":\"D3-DKF\",\"d3f:definition\":\"Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Disk Formatting\"},{\"@id\":\"d3f:DNSCacheEviction\",\"d3f:d3fend-id\":\"D3-DNSCE\",\"d3f:definition\":\"Flushing DNS to clear any IP addresses or other DNS records from the cache.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"DNS Cache Eviction\"},{\"@id\":\"d3f:RegistryKeyDeletion\",\"d3f:d3fend-id\":\"D3-RKD\",\"d3f:definition\":\"Delete a registry key.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Registry Key Deletion\"}],\"d3f:d3fend-id\":\"D3-OE\",\"d3f:definition\":\"Terminate or remove an object from a host machine. This is the broadest class for object eviction.\",\"rdfs:label\":\"Object Eviction\"},{\"@id\":\"d3f:ProcessEviction\",\"children\":[{\"@id\":\"d3f:ProcessTermination\",\"d3f:d3fend-id\":\"D3-PT\",\"d3f:definition\":\"Terminating a running application process on a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Process Termination\"},{\"@id\":\"d3f:ProcessSuspension\",\"d3f:d3fend-id\":\"D3-PS\",\"d3f:definition\":\"Suspending a running process on a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Process Suspension\"},{\"@id\":\"d3f:HostShutdown\",\"children\":[{\"@id\":\"d3f:HostReboot\",\"d3f:d3fend-id\":\"D3-HR\",\"d3f:definition\":\"Initiating a host's reboot sequence to terminate all running processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Host Reboot\"}],\"d3f:d3fend-id\":\"D3-HS\",\"d3f:definition\":\"Initiating a host's shutdown sequence to terminate all running processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Host Shutdown\"},{\"@id\":\"d3f:SessionTermination\",\"d3f:d3fend-id\":\"D3-ST\",\"d3f:definition\":\"Forcefully end all active sessions associated with compromised accounts or devices.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Session Termination\"}],\"d3f:d3fend-id\":\"D3-PE\",\"d3f:definition\":\"Process eviction techniques terminate or remove running process.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Process Eviction\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Evict\"},{\"@id\":\"d3f:Restore\",\"children\":[{\"@id\":\"d3f:RestoreAccess\",\"children\":[{\"@id\":\"d3f:RestoreNetworkAccess\",\"d3f:d3fend-id\":\"D3-RNA\",\"d3f:definition\":\"Restoring a entity's access to a computer network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Network Access\"},{\"@id\":\"d3f:RestoreUserAccountAccess\",\"children\":[{\"@id\":\"d3f:UnlockAccount\",\"d3f:d3fend-id\":\"D3-ULA\",\"d3f:definition\":\"Restoring a user account's access to resources by unlocking a locked User Account.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Unlock Account\"}],\"d3f:d3fend-id\":\"D3-RUAA\",\"d3f:definition\":\"Restoring a user account's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore User Account Access\"},{\"@id\":\"d3f:ReissueCredential\",\"d3f:d3fend-id\":\"D3-RIC\",\"d3f:definition\":\"Issue a new credential to a user which supercedes their old credential.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Reissue Credential\"}],\"d3f:d3fend-id\":\"D3-RA\",\"d3f:definition\":\"Restoring an entity's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Access\"},{\"@id\":\"d3f:RestoreObject\",\"children\":[{\"@id\":\"d3f:RestoreConfiguration\",\"d3f:d3fend-id\":\"D3-RC\",\"d3f:definition\":\"Restoring an software configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Configuration\"},{\"@id\":\"d3f:RestoreDatabase\",\"d3f:d3fend-id\":\"D3-RD\",\"d3f:definition\":\"Restoring the data in a database.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Database\"},{\"@id\":\"d3f:RestoreDiskImage\",\"d3f:d3fend-id\":\"D3-RDI\",\"d3f:definition\":\"Restoring a previously captured disk image a hard drive.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Disk Image\"},{\"@id\":\"d3f:RestoreFile\",\"children\":[{\"@id\":\"d3f:RestoreEmail\",\"d3f:d3fend-id\":\"D3-RE\",\"d3f:definition\":\"Restoring an email for an entity to access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Email\"}],\"d3f:d3fend-id\":\"D3-RF\",\"d3f:definition\":\"Restoring a file for an entity to access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore File\"},{\"@id\":\"d3f:RestoreSoftware\",\"d3f:d3fend-id\":\"D3-RS\",\"d3f:definition\":\"Restoring software to a host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Software\"}],\"d3f:d3fend-id\":\"D3-RO\",\"d3f:definition\":\"Restoring an object for an entity to access. This is the broadest class for object restoral.\",\"rdfs:label\":\"Restore Object\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Restore\"}]"}</script>
<script type="application/json" data-sveltekit-fetched data-url="/api/offensive-technique/all.json">{"status":200,"statusText":"","headers":{},"body":"{\"@context\":{\"rdfs\":\"http://www.w3.org/2000/01/rdf-schema#\",\"owl\":\"http://www.w3.org/2002/07/owl#\",\"d3f\":\"http://d3fend.mitre.org/ontologies/d3fend.owl#\",\"skos\":\"http://www.w3.org/2004/02/skos/core#\"},\"@graph\":[{\"@id\":\"d3f:T1001\",\"d3f:attack-id\":\"T1001\",\"d3f:definition\":\"Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.\",\"rdfs:label\":\"Data Obfuscation\"},{\"@id\":\"d3f:T1001.001\",\"d3f:attack-id\":\"T1001.001\",\"d3f:definition\":\"Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.\",\"rdfs:label\":\"Junk Data\"},{\"@id\":\"d3f:T1001.002\",\"d3f:attack-id\":\"T1001.002\",\"d3f:definition\":\"Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.\",\"rdfs:label\":\"Steganography\"},{\"@id\":\"d3f:T1001.003\",\"d3f:attack-id\":\"T1001.003\",\"d3f:definition\":\"Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.\",\"rdfs:label\":\"Protocol or Service Impersonation\"},{\"@id\":\"d3f:T1002\",\"d3f:attack-id\":\"T1002\",\"d3f:definition\":\"An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.\",\"rdfs:label\":\"Data Compressed\"},{\"@id\":\"d3f:T1003\",\"d3f:attack-id\":\"T1003\",\"d3f:definition\":\"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\",\"rdfs:label\":\"OS Credential Dumping\"},{\"@id\":\"d3f:T1003.001\",\"d3f:attack-id\":\"T1003.001\",\"d3f:definition\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\",\"rdfs:label\":\"LSASS Memory\"},{\"@id\":\"d3f:T1003.002\",\"d3f:attack-id\":\"T1003.002\",\"d3f:definition\":\"Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the \u003Ccode>net user\u003C/code> command. Enumerating the SAM database requires SYSTEM level access.\",\"rdfs:label\":\"Security Account Manager\"},{\"@id\":\"d3f:T1003.003\",\"d3f:attack-id\":\"T1003.003\",\"d3f:definition\":\"Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in \u003Ccode>%SystemRoot%\\\\NTDS\\\\Ntds.dit\u003C/code> of a domain controller.(Citation: Wikipedia Active Directory)\",\"rdfs:label\":\"NTDS\"},{\"@id\":\"d3f:T1003.004\",\"d3f:attack-id\":\"T1003.004\",\"d3f:definition\":\"Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at \u003Ccode>HKEY_LOCAL_MACHINE\\\\SECURITY\\\\Policy\\\\Secrets\u003C/code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)\",\"rdfs:label\":\"LSA Secrets\"},{\"@id\":\"d3f:T1003.005\",\"d3f:attack-id\":\"T1003.005\",\"d3f:definition\":\"Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\",\"rdfs:label\":\"Cached Domain Credentials\"},{\"@id\":\"d3f:T1003.006\",\"d3f:attack-id\":\"T1003.006\",\"d3f:definition\":\"Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.\",\"rdfs:label\":\"DCSync\"},{\"@id\":\"d3f:T1003.007\",\"d3f:attack-id\":\"T1003.007\",\"d3f:definition\":\"Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/\u003CPID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/\u003CPID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)\",\"rdfs:label\":\"Proc Filesystem\"},{\"@id\":\"d3f:T1003.008\",\"d3f:attack-id\":\"T1003.008\",\"d3f:definition\":\"Adversaries may attempt to dump the contents of \u003Ccode>/etc/passwd\u003C/code> and \u003Ccode>/etc/shadow\u003C/code> to enable offline password cracking. Most modern Linux operating systems use a combination of \u003Ccode>/etc/passwd\u003C/code> and \u003Ccode>/etc/shadow\u003C/code> to store user account information including password hashes in \u003Ccode>/etc/shadow\u003C/code>. By default, \u003Ccode>/etc/shadow\u003C/code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\",\"rdfs:label\":\"/etc/passwd and /etc/shadow\"},{\"@id\":\"d3f:T1004\",\"d3f:attack-id\":\"T1004\",\"d3f:definition\":\"Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in \u003Ccode>HKLM\\\\Software\\\\[Wow6432Node\\\\]Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\u003C/code> and \u003Ccode>HKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\u003C/code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)\",\"rdfs:label\":\"Winlogon Helper DLL\"},{\"@id\":\"d3f:T1005\",\"d3f:attack-id\":\"T1005\",\"d3f:definition\":\"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\",\"rdfs:label\":\"Data from Local System\"},{\"@id\":\"d3f:T1006\",\"d3f:attack-id\":\"T1006\",\"d3f:definition\":\"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\",\"rdfs:label\":\"Direct Volume Access\"},{\"@id\":\"d3f:T1007\",\"d3f:attack-id\":\"T1007\",\"d3f:definition\":\"Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as \u003Ccode>sc query\u003C/code>, \u003Ccode>tasklist /svc\u003C/code>, \u003Ccode>systemctl --type=service\u003C/code>, and \u003Ccode>net start\u003C/code>.\",\"rdfs:label\":\"System Service Discovery\"},{\"@id\":\"d3f:T1008\",\"d3f:attack-id\":\"T1008\",\"d3f:definition\":\"Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.\",\"rdfs:label\":\"Fallback Channels\"},{\"@id\":\"d3f:T1009\",\"d3f:attack-id\":\"T1009\",\"d3f:definition\":\"Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\",\"rdfs:label\":\"Binary Padding\"},{\"@id\":\"d3f:T1010\",\"d3f:attack-id\":\"T1010\",\"d3f:definition\":\"Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\",\"rdfs:label\":\"Application Window Discovery\"},{\"@id\":\"d3f:T1011\",\"d3f:attack-id\":\"T1011\",\"d3f:definition\":\"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\",\"rdfs:label\":\"Exfiltration Over Other Network Medium\"},{\"@id\":\"d3f:T1011.001\",\"d3f:attack-id\":\"T1011.001\",\"d3f:definition\":\"Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.\",\"rdfs:label\":\"Exfiltration Over Bluetooth\"},{\"@id\":\"d3f:T1012\",\"d3f:attack-id\":\"T1012\",\"d3f:definition\":\"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\",\"rdfs:label\":\"Query Registry\"},{\"@id\":\"d3f:T1013\",\"d3f:attack-id\":\"T1013\",\"d3f:definition\":\"A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in \u003Ccode>C:\\\\Windows\\\\System32\u003C/code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to \u003Ccode>HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\u003C/code>.\",\"rdfs:label\":\"Port Monitors\"},{\"@id\":\"d3f:T1014\",\"d3f:attack-id\":\"T1014\",\"d3f:definition\":\"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)\",\"rdfs:label\":\"Rootkit\"},{\"@id\":\"d3f:T1015\",\"d3f:attack-id\":\"T1015\",\"d3f:definition\":\"Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"rdfs:label\":\"Accessibility Features\"},{\"@id\":\"d3f:T1016\",\"d3f:attack-id\":\"T1016\",\"d3f:definition\":\"Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\",\"rdfs:label\":\"System Network Configuration Discovery\"},{\"@id\":\"d3f:T1016.001\",\"d3f:attack-id\":\"T1016.001\",\"d3f:definition\":\"Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), \u003Ccode>tracert\u003C/code>, and GET requests to websites.\",\"rdfs:label\":\"Internet Connection Discovery\"},{\"@id\":\"d3f:T1016.002\",\"d3f:attack-id\":\"T1016.002\",\"d3f:definition\":\"Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.\",\"rdfs:label\":\"Wi-Fi Discovery\"},{\"@id\":\"d3f:T1017\",\"d3f:attack-id\":\"T1017\",\"d3f:definition\":\"Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.\",\"rdfs:label\":\"Application Deployment Software\"},{\"@id\":\"d3f:T1018\",\"d3f:attack-id\":\"T1018\",\"d3f:definition\":\"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or \u003Ccode>net view\u003C/code> using [Net](https://attack.mitre.org/software/S0039).\",\"rdfs:label\":\"Remote System Discovery\"},{\"@id\":\"d3f:T1019\",\"d3f:attack-id\":\"T1019\",\"d3f:definition\":\"The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\",\"rdfs:label\":\"System Firmware\"},{\"@id\":\"d3f:T1020\",\"d3f:attack-id\":\"T1020\",\"d3f:definition\":\"Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)\",\"rdfs:label\":\"Automated Exfiltration\"},{\"@id\":\"d3f:T1020.001\",\"d3f:attack-id\":\"T1020.001\",\"d3f:definition\":\"Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\",\"rdfs:label\":\"Traffic Duplication\"},{\"@id\":\"d3f:T1021\",\"d3f:attack-id\":\"T1021\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"Remote Services\"},{\"@id\":\"d3f:T1021.001\",\"d3f:attack-id\":\"T1021.001\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"Remote Desktop Protocol\"},{\"@id\":\"d3f:T1021.002\",\"d3f:attack-id\":\"T1021.002\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"SMB/Windows Admin Shares\"},{\"@id\":\"d3f:T1021.003\",\"d3f:attack-id\":\"T1021.003\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"Distributed Component Object Model\"},{\"@id\":\"d3f:T1021.004\",\"d3f:attack-id\":\"T1021.004\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"SSH\"},{\"@id\":\"d3f:T1021.005\",\"d3f:attack-id\":\"T1021.005\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\",\"rdfs:label\":\"VNC\"},{\"@id\":\"d3f:T1021.006\",\"d3f:attack-id\":\"T1021.006\",\"d3f:definition\":\"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\",\"rdfs:label\":\"Windows Remote Management\"},{\"@id\":\"d3f:T1021.007\",\"d3f:attack-id\":\"T1021.007\",\"d3f:definition\":\"Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.\",\"rdfs:label\":\"Cloud Services\"},{\"@id\":\"d3f:T1021.008\",\"d3f:attack-id\":\"T1021.008\",\"d3f:definition\":\"Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).\",\"rdfs:label\":\"Direct Cloud VM Connections\"},{\"@id\":\"d3f:T1022\",\"d3f:attack-id\":\"T1022\",\"d3f:definition\":\"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\",\"rdfs:label\":\"Data Encrypted\"},{\"@id\":\"d3f:T1023\",\"d3f:attack-id\":\"T1023\",\"d3f:definition\":\"Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.\",\"rdfs:label\":\"Shortcut Modification\"},{\"@id\":\"d3f:T1024\",\"d3f:attack-id\":\"T1024\",\"d3f:definition\":\"Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.\",\"rdfs:label\":\"Custom Cryptographic Protocol\"},{\"@id\":\"d3f:T1025\",\"d3f:attack-id\":\"T1025\",\"d3f:definition\":\"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.\",\"rdfs:label\":\"Data from Removable Media\"},{\"@id\":\"d3f:T1026\",\"d3f:attack-id\":\"T1026\",\"d3f:definition\":\"**This technique has been deprecated and should no longer be used.**\",\"rdfs:label\":\"Multiband Communication\"},{\"@id\":\"d3f:T1027\",\"d3f:attack-id\":\"T1027\",\"d3f:definition\":\"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\",\"rdfs:label\":\"Obfuscated Files or Information\"},{\"@id\":\"d3f:T1027.001\",\"d3f:attack-id\":\"T1027.001\",\"d3f:definition\":\"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\",\"rdfs:label\":\"Binary Padding\"},{\"@id\":\"d3f:T1027.002\",\"d3f:attack-id\":\"T1027.002\",\"d3f:definition\":\"Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)\",\"rdfs:label\":\"Software Packing\"},{\"@id\":\"d3f:T1027.003\",\"d3f:attack-id\":\"T1027.003\",\"d3f:definition\":\"Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\",\"rdfs:label\":\"Steganography\"},{\"@id\":\"d3f:T1027.004\",\"d3f:attack-id\":\"T1027.004\",\"d3f:definition\":\"Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\",\"rdfs:label\":\"Compile After Delivery\"},{\"@id\":\"d3f:T1027.005\",\"d3f:attack-id\":\"T1027.005\",\"d3f:definition\":\"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\",\"rdfs:label\":\"Indicator Removal from Tools\"},{\"@id\":\"d3f:T1027.006\",\"d3f:attack-id\":\"T1027.006\",\"d3f:definition\":\"Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\",\"rdfs:label\":\"HTML Smuggling\"},{\"@id\":\"d3f:T1027.007\",\"d3f:attack-id\":\"T1027.007\",\"d3f:definition\":\"Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\",\"rdfs:label\":\"Dynamic API Resolution\"},{\"@id\":\"d3f:T1027.008\",\"d3f:attack-id\":\"T1027.008\",\"d3f:definition\":\"Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)\",\"rdfs:label\":\"Stripped Payloads\"},{\"@id\":\"d3f:T1027.009\",\"d3f:attack-id\":\"T1027.009\",\"d3f:definition\":\"Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)\",\"rdfs:label\":\"Embedded Payloads\"},{\"@id\":\"d3f:T1027.010\",\"d3f:attack-id\":\"T1027.010\",\"d3f:definition\":\"Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\",\"rdfs:label\":\"Command Obfuscation\"},{\"@id\":\"d3f:T1027.011\",\"d3f:attack-id\":\"T1027.011\",\"d3f:definition\":\"Adversaries may store data in \\\"fileless\\\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\",\"rdfs:label\":\"Fileless Storage\"},{\"@id\":\"d3f:T1027.012\",\"d3f:attack-id\":\"T1027.012\",\"d3f:definition\":\"Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.\",\"rdfs:label\":\"LNK Icon Smuggling\"},{\"@id\":\"d3f:T1027.013\",\"d3f:attack-id\":\"T1027.013\",\"d3f:definition\":\"Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\",\"rdfs:label\":\"Encrypted/Encoded File\"},{\"@id\":\"d3f:T1027.014\",\"d3f:attack-id\":\"T1027.014\",\"d3f:definition\":\"Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone)\",\"rdfs:label\":\"Polymorphic Code\"},{\"@id\":\"d3f:T1028\",\"d3f:attack-id\":\"T1028\",\"d3f:definition\":\"Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the \u003Ccode>winrm\u003C/code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)\",\"rdfs:label\":\"Windows Remote Management\"},{\"@id\":\"d3f:T1029\",\"d3f:attack-id\":\"T1029\",\"d3f:definition\":\"Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\",\"rdfs:label\":\"Scheduled Transfer\"},{\"@id\":\"d3f:T1030\",\"d3f:attack-id\":\"T1030\",\"d3f:definition\":\"An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.\",\"rdfs:label\":\"Data Transfer Size Limits\"},{\"@id\":\"d3f:T1031\",\"d3f:attack-id\":\"T1031\",\"d3f:definition\":\"Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).\",\"rdfs:label\":\"Modify Existing Service\"},{\"@id\":\"d3f:T1032\",\"d3f:attack-id\":\"T1032\",\"d3f:definition\":\"Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.\",\"rdfs:label\":\"Standard Cryptographic Protocol\"},{\"@id\":\"d3f:T1033\",\"d3f:attack-id\":\"T1033\",\"d3f:definition\":\"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"System Owner/User Discovery\"},{\"@id\":\"d3f:T1034\",\"d3f:attack-id\":\"T1034\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**\",\"rdfs:label\":\"Path Interception\"},{\"@id\":\"d3f:T1035\",\"d3f:attack-id\":\"T1035\",\"d3f:definition\":\"Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.\",\"rdfs:label\":\"Service Execution\"},{\"@id\":\"d3f:T1036\",\"d3f:attack-id\":\"T1036\",\"d3f:definition\":\"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\",\"rdfs:label\":\"Masquerading\"},{\"@id\":\"d3f:T1036.001\",\"d3f:attack-id\":\"T1036.001\",\"d3f:definition\":\"Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\",\"rdfs:label\":\"Invalid Code Signature\"},{\"@id\":\"d3f:T1036.002\",\"d3f:attack-id\":\"T1036.002\",\"d3f:definition\":\"Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named \u003Ccode>March 25 \\\\u202Excod.scr\u003C/code> will display as \u003Ccode>March 25 rcs.docx\u003C/code>. A JavaScript file named \u003Ccode>photo_high_re\\\\u202Egnp.js\u003C/code> will be displayed as \u003Ccode>photo_high_resj.png\u003C/code>.(Citation: Infosecinstitute RTLO Technique)\",\"rdfs:label\":\"Right-to-Left Override\"},{\"@id\":\"d3f:T1036.003\",\"d3f:attack-id\":\"T1036.003\",\"d3f:definition\":\"Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename \u003Ccode>rundll32.exe\u003C/code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\",\"rdfs:label\":\"Rename System Utilities\"},{\"@id\":\"d3f:T1036.004\",\"d3f:attack-id\":\"T1036.004\",\"d3f:definition\":\"Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\",\"rdfs:label\":\"Masquerade Task or Service\"},{\"@id\":\"d3f:T1036.005\",\"d3f:attack-id\":\"T1036.005\",\"d3f:definition\":\"Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\",\"rdfs:label\":\"Match Legitimate Name or Location\"},{\"@id\":\"d3f:T1036.006\",\"d3f:attack-id\":\"T1036.006\",\"d3f:definition\":\"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\",\"rdfs:label\":\"Space after Filename\"},{\"@id\":\"d3f:T1036.007\",\"d3f:attack-id\":\"T1036.007\",\"d3f:definition\":\"Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: \u003Ccode>File.txt.exe\u003C/code> may render in some views as just \u003Ccode>File.txt\u003C/code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)\",\"rdfs:label\":\"Double File Extension\"},{\"@id\":\"d3f:T1036.008\",\"d3f:attack-id\":\"T1036.008\",\"d3f:definition\":\"Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is \u003Ccode> 0xFF 0xD8\u003C/code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`.\",\"rdfs:label\":\"Masquerade File Type\"},{\"@id\":\"d3f:T1036.009\",\"d3f:attack-id\":\"T1036.009\",\"d3f:definition\":\"An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child\\\" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022)\",\"rdfs:label\":\"Break Process Trees\"},{\"@id\":\"d3f:T1036.010\",\"d3f:attack-id\":\"T1036.010\",\"d3f:definition\":\"Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\",\"rdfs:label\":\"Masquerade Account Name\"},{\"@id\":\"d3f:T1037\",\"d3f:attack-id\":\"T1037\",\"d3f:definition\":\"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.\",\"rdfs:label\":\"Boot or Logon Initialization Scripts\"},{\"@id\":\"d3f:T1037.001\",\"d3f:attack-id\":\"T1037.001\",\"d3f:definition\":\"Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the \u003Ccode>HKCU\\\\Environment\\\\UserInitMprLogonScript\u003C/code> Registry key.(Citation: Hexacorn Logon Scripts)\",\"rdfs:label\":\"Logon Script (Windows)\"},{\"@id\":\"d3f:T1037.002\",\"d3f:attack-id\":\"T1037.002\",\"d3f:definition\":\"Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the \u003Ccode>/Library/Preferences/com.apple.loginwindow.plist\u003C/code> file and can be modified using the \u003Ccode>defaults\u003C/code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)\",\"rdfs:label\":\"Login Hook\"},{\"@id\":\"d3f:T1037.003\",\"d3f:attack-id\":\"T1037.003\",\"d3f:definition\":\"Group Policy Object / Active Directory Users and Computers are both Active Directory-based\",\"rdfs:label\":\"Network Logon Script\"},{\"@id\":\"d3f:T1037.004\",\"d3f:attack-id\":\"T1037.004\",\"d3f:definition\":\"Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\",\"rdfs:label\":\"RC Scripts\"},{\"@id\":\"d3f:T1037.005\",\"d3f:attack-id\":\"T1037.005\",\"d3f:definition\":\"Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)\",\"rdfs:label\":\"Startup Items\"},{\"@id\":\"d3f:T1038\",\"d3f:attack-id\":\"T1038\",\"d3f:definition\":\"Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.\",\"rdfs:label\":\"DLL Search Order Hijacking\"},{\"@id\":\"d3f:T1039\",\"d3f:attack-id\":\"T1039\",\"d3f:definition\":\"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.\",\"rdfs:label\":\"Data from Network Shared Drive\"},{\"@id\":\"d3f:T1040\",\"d3f:attack-id\":\"T1040\",\"d3f:definition\":\"Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\",\"rdfs:label\":\"Network Sniffing\"},{\"@id\":\"d3f:T1041\",\"d3f:attack-id\":\"T1041\",\"d3f:definition\":\"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.\",\"rdfs:label\":\"Exfiltration Over C2 Channel\"},{\"@id\":\"d3f:T1042\",\"d3f:attack-id\":\"T1042\",\"d3f:definition\":\"When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\",\"rdfs:label\":\"Change Default File Association\"},{\"@id\":\"d3f:T1043\",\"d3f:attack-id\":\"T1043\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\",\"rdfs:label\":\"Commonly Used Port\"},{\"@id\":\"d3f:T1044\",\"d3f:attack-id\":\"T1044\",\"d3f:definition\":\"Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\",\"rdfs:label\":\"File System Permissions Weakness\"},{\"@id\":\"d3f:T1045\",\"d3f:attack-id\":\"T1045\",\"d3f:definition\":\"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.\",\"rdfs:label\":\"Software Packing\"},{\"@id\":\"d3f:T1046\",\"d3f:attack-id\":\"T1046\",\"d3f:definition\":\"Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)\",\"rdfs:label\":\"Network Service Discovery\"},{\"@id\":\"d3f:T1047\",\"d3f:attack-id\":\"T1047\",\"d3f:definition\":\"Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.\",\"rdfs:label\":\"Windows Management Instrumentation\"},{\"@id\":\"d3f:T1048\",\"d3f:attack-id\":\"T1048\",\"d3f:definition\":\"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\",\"rdfs:label\":\"Exfiltration Over Alternative Protocol\"},{\"@id\":\"d3f:T1048.001\",\"d3f:attack-id\":\"T1048.001\",\"d3f:definition\":\"Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\",\"rdfs:label\":\"Exfiltration Over Symmetric Encrypted Non-C2 Protocol\"},{\"@id\":\"d3f:T1048.002\",\"d3f:attack-id\":\"T1048.002\",\"d3f:definition\":\"Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\",\"rdfs:label\":\"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol\"},{\"@id\":\"d3f:T1048.003\",\"d3f:attack-id\":\"T1048.003\",\"d3f:definition\":\"Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\",\"rdfs:label\":\"Exfiltration Over Unencrypted Non-C2 Protocol\"},{\"@id\":\"d3f:T1049\",\"d3f:attack-id\":\"T1049\",\"d3f:definition\":\"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\",\"rdfs:label\":\"System Network Connections Discovery\"},{\"@id\":\"d3f:T1050\",\"d3f:attack-id\":\"T1050\",\"d3f:definition\":\"When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.\",\"rdfs:label\":\"New Service\"},{\"@id\":\"d3f:T1051\",\"d3f:attack-id\":\"T1051\",\"d3f:definition\":\"**This technique has been deprecated and should no longer be used.**\",\"rdfs:label\":\"Shared Webroot\"},{\"@id\":\"d3f:T1052\",\"d3f:attack-id\":\"T1052\",\"d3f:definition\":\"Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.\",\"rdfs:label\":\"Exfiltration Over Physical Medium\"},{\"@id\":\"d3f:T1052.001\",\"d3f:attack-id\":\"T1052.001\",\"d3f:definition\":\"Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.\",\"rdfs:label\":\"Exfiltration over USB\"},{\"@id\":\"d3f:T1053\",\"d3f:attack-id\":\"T1053\",\"d3f:definition\":\"The sub-techniques of this are specific software implementations of scheduling capabilities\",\"rdfs:label\":\"Scheduled Task/Job\"},{\"@id\":\"d3f:T1053.001\",\"d3f:attack-id\":\"T1053.001\",\"d3f:definition\":\"Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\",\"rdfs:label\":\"At (Linux) Execution\"},{\"@id\":\"d3f:T1053.002\",\"d3f:attack-id\":\"T1053.002\",\"d3f:definition\":\"Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.\",\"rdfs:label\":\"At\"},{\"@id\":\"d3f:T1053.003\",\"d3f:attack-id\":\"T1053.003\",\"d3f:definition\":\"Adversaries may abuse the \u003Ccode>cron\u003C/code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The \u003Ccode>cron\u003C/code> utility is a time-based job scheduler for Unix-like operating systems. The \u003Ccode> crontab\u003C/code> file contains the schedule of cron entries to be run and the specified times for execution. Any \u003Ccode>crontab\u003C/code> files are stored in operating system-specific file paths.\",\"rdfs:label\":\"Cron\"},{\"@id\":\"d3f:T1053.004\",\"d3f:attack-id\":\"T1053.004\",\"d3f:definition\":\"This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.\",\"rdfs:label\":\"Launchd\"},{\"@id\":\"d3f:T1053.005\",\"d3f:attack-id\":\"T1053.005\",\"d3f:definition\":\"Renamed from ATT&CK to be consistent with at, launchd, cron siblings; name as is looks like parent. Not sure why parent is not just Scheduled Task [Execution[.\",\"rdfs:label\":\"Scheduled Task\"},{\"@id\":\"d3f:T1053.006\",\"d3f:attack-id\":\"T1053.006\",\"d3f:definition\":\"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension \u003Ccode>.timer\u003C/code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the \u003Ccode>systemctl\u003C/code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\",\"rdfs:label\":\"Systemd Timers\"},{\"@id\":\"d3f:T1053.007\",\"d3f:attack-id\":\"T1053.007\",\"d3f:definition\":\"Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\",\"rdfs:label\":\"Container Orchestration Job\"},{\"@id\":\"d3f:T1054\",\"d3f:attack-id\":\"T1054\",\"d3f:definition\":\"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\",\"rdfs:label\":\"Indicator Blocking\"},{\"@id\":\"d3f:T1055\",\"d3f:attack-id\":\"T1055\",\"d3f:definition\":\"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\",\"rdfs:label\":\"Process Injection\"},{\"@id\":\"d3f:T1055.001\",\"d3f:attack-id\":\"T1055.001\",\"d3f:definition\":\"Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Dynamic-link Library Injection\"},{\"@id\":\"d3f:T1055.002\",\"d3f:attack-id\":\"T1055.002\",\"d3f:definition\":\"Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Portable Executable Injection\"},{\"@id\":\"d3f:T1055.003\",\"d3f:attack-id\":\"T1055.003\",\"d3f:definition\":\"Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Thread Execution Hijacking\"},{\"@id\":\"d3f:T1055.004\",\"d3f:attack-id\":\"T1055.004\",\"d3f:definition\":\"Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Asynchronous Procedure Call\"},{\"@id\":\"d3f:T1055.005\",\"d3f:attack-id\":\"T1055.005\",\"d3f:definition\":\"Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Thread Local Storage\"},{\"@id\":\"d3f:T1055.008\",\"d3f:attack-id\":\"T1055.008\",\"d3f:definition\":\"Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Ptrace System Calls\"},{\"@id\":\"d3f:T1055.009\",\"d3f:attack-id\":\"T1055.009\",\"d3f:definition\":\"Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Proc Memory\"},{\"@id\":\"d3f:T1055.011\",\"d3f:attack-id\":\"T1055.011\",\"d3f:definition\":\"Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Extra Window Memory Injection\"},{\"@id\":\"d3f:T1055.012\",\"d3f:attack-id\":\"T1055.012\",\"d3f:definition\":\"Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Process Hollowing\"},{\"@id\":\"d3f:T1055.013\",\"d3f:attack-id\":\"T1055.013\",\"d3f:definition\":\"Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"Process Doppelgänging\"},{\"@id\":\"d3f:T1055.014\",\"d3f:attack-id\":\"T1055.014\",\"d3f:definition\":\"Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.\",\"rdfs:label\":\"VDSO Hijacking\"},{\"@id\":\"d3f:T1055.015\",\"d3f:attack-id\":\"T1055.015\",\"d3f:definition\":\"Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\",\"rdfs:label\":\"ListPlanting\"},{\"@id\":\"d3f:T1056\",\"d3f:attack-id\":\"T1056\",\"d3f:definition\":\"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).\",\"rdfs:label\":\"Input Capture\"},{\"@id\":\"d3f:T1056.001\",\"d3f:attack-id\":\"T1056.001\",\"d3f:definition\":\"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\",\"rdfs:label\":\"Keylogging\"},{\"@id\":\"d3f:T1056.002\",\"d3f:attack-id\":\"T1056.002\",\"d3f:definition\":\"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\",\"rdfs:label\":\"GUI Input Capture\"},{\"@id\":\"d3f:T1056.003\",\"d3f:attack-id\":\"T1056.003\",\"d3f:definition\":\"Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\",\"rdfs:label\":\"Web Portal Capture\"},{\"@id\":\"d3f:T1056.004\",\"d3f:attack-id\":\"T1056.004\",\"d3f:definition\":\"Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\",\"rdfs:label\":\"Credential API Hooking\"},{\"@id\":\"d3f:T1057\",\"d3f:attack-id\":\"T1057\",\"d3f:definition\":\"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"Process Discovery\"},{\"@id\":\"d3f:T1058\",\"d3f:attack-id\":\"T1058\",\"d3f:definition\":\"Windows stores local service configuration information in the Registry under \u003Ccode>HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\u003C/code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)\",\"rdfs:label\":\"Service Registry Permissions Weakness\"},{\"@id\":\"d3f:T1059\",\"d3f:attack-id\":\"T1059\",\"d3f:definition\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\",\"rdfs:label\":\"Command and Scripting Interpreter\"},{\"@id\":\"d3f:T1059.001\",\"d3f:attack-id\":\"T1059.001\",\"d3f:definition\":\"Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the \u003Ccode>Start-Process\u003C/code> cmdlet which can be used to run an executable and the \u003Ccode>Invoke-Command\u003C/code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\",\"rdfs:label\":\"PowerShell\"},{\"@id\":\"d3f:T1059.002\",\"d3f:attack-id\":\"T1059.002\",\"d3f:definition\":\"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\",\"rdfs:label\":\"AppleScript\"},{\"@id\":\"d3f:T1059.003\",\"d3f:attack-id\":\"T1059.003\",\"d3f:definition\":\"Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\",\"rdfs:label\":\"Windows Command Shell\"},{\"@id\":\"d3f:T1059.004\",\"d3f:attack-id\":\"T1059.004\",\"d3f:definition\":\"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\",\"rdfs:label\":\"Unix Shell\"},{\"@id\":\"d3f:T1059.005\",\"d3f:attack-id\":\"T1059.005\",\"d3f:definition\":\"Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\",\"rdfs:label\":\"Visual Basic\"},{\"@id\":\"d3f:T1059.006\",\"d3f:attack-id\":\"T1059.006\",\"d3f:definition\":\"Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the \u003Ccode>python.exe\u003C/code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)\",\"rdfs:label\":\"Python\"},{\"@id\":\"d3f:T1059.007\",\"d3f:attack-id\":\"T1059.007\",\"d3f:definition\":\"Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\",\"rdfs:label\":\"JavaScript\"},{\"@id\":\"d3f:T1059.008\",\"d3f:attack-id\":\"T1059.008\",\"d3f:definition\":\"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.\",\"rdfs:label\":\"Network Device CLI\"},{\"@id\":\"d3f:T1059.009\",\"d3f:attack-id\":\"T1059.009\",\"d3f:definition\":\"Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).\",\"rdfs:label\":\"Cloud API\"},{\"@id\":\"d3f:T1059.010\",\"d3f:attack-id\":\"T1059.010\",\"d3f:definition\":\"Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\",\"rdfs:label\":\"AutoHotKey & AutoIT\"},{\"@id\":\"d3f:T1059.011\",\"d3f:attack-id\":\"T1059.011\",\"d3f:definition\":\"Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (\u003Ccode>.lua\u003C/code>), or from Lua-embedded programs (through the \u003Ccode>struct lua_State\u003C/code>).(Citation: Lua main page)(Citation: Lua state)\",\"rdfs:label\":\"Lua\"},{\"@id\":\"d3f:T1060\",\"d3f:attack-id\":\"T1060\",\"d3f:definition\":\"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\",\"rdfs:label\":\"Registry Run Keys / Startup Folder\"},{\"@id\":\"d3f:T1061\",\"d3f:attack-id\":\"T1061\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.**\",\"rdfs:label\":\"Graphical User Interface\"},{\"@id\":\"d3f:T1062\",\"d3f:attack-id\":\"T1062\",\"d3f:definition\":\"**This technique has been deprecated and should no longer be used.**\",\"rdfs:label\":\"Hypervisor\"},{\"@id\":\"d3f:T1063\",\"d3f:attack-id\":\"T1063\",\"d3f:definition\":\"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"Security Software Discovery\"},{\"@id\":\"d3f:T1064\",\"d3f:attack-id\":\"T1064\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.**\",\"rdfs:label\":\"Scripting\"},{\"@id\":\"d3f:T1065\",\"d3f:attack-id\":\"T1065\",\"d3f:definition\":\"Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.\",\"rdfs:label\":\"Uncommonly Used Port\"},{\"@id\":\"d3f:T1066\",\"d3f:attack-id\":\"T1066\",\"d3f:definition\":\"If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\",\"rdfs:label\":\"Indicator Removal from Tools\"},{\"@id\":\"d3f:T1067\",\"d3f:attack-id\":\"T1067\",\"d3f:definition\":\"A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)\",\"rdfs:label\":\"Bootkit\"},{\"@id\":\"d3f:T1068\",\"d3f:attack-id\":\"T1068\",\"d3f:definition\":\"Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\",\"rdfs:label\":\"Exploitation for Privilege Escalation\"},{\"@id\":\"d3f:T1069\",\"d3f:attack-id\":\"T1069\",\"d3f:definition\":\"Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\",\"rdfs:label\":\"Permission Groups Discovery\"},{\"@id\":\"d3f:T1069.001\",\"d3f:attack-id\":\"T1069.001\",\"d3f:definition\":\"Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\",\"rdfs:label\":\"Local Groups\"},{\"@id\":\"d3f:T1069.002\",\"d3f:attack-id\":\"T1069.002\",\"d3f:definition\":\"Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\",\"rdfs:label\":\"Domain Groups\"},{\"@id\":\"d3f:T1069.003\",\"d3f:attack-id\":\"T1069.003\",\"d3f:definition\":\"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\",\"rdfs:label\":\"Cloud Groups\"},{\"@id\":\"d3f:T1070\",\"d3f:attack-id\":\"T1070\",\"d3f:definition\":\"Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\",\"rdfs:label\":\"Indicator Removal\"},{\"@id\":\"d3f:T1070.001\",\"d3f:attack-id\":\"T1070.001\",\"d3f:definition\":\"Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\",\"rdfs:label\":\"Clear Windows Event Logs\"},{\"@id\":\"d3f:T1070.002\",\"d3f:attack-id\":\"T1070.002\",\"d3f:definition\":\"Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the \u003Ccode>/var/log/\u003C/code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\",\"rdfs:label\":\"Clear Linux or Mac System Logs\"},{\"@id\":\"d3f:T1070.003\",\"d3f:attack-id\":\"T1070.003\",\"d3f:definition\":\"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\",\"rdfs:label\":\"Clear Command History\"},{\"@id\":\"d3f:T1070.004\",\"d3f:attack-id\":\"T1070.004\",\"d3f:definition\":\"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"rdfs:label\":\"File Deletion\"},{\"@id\":\"d3f:T1070.005\",\"d3f:attack-id\":\"T1070.005\",\"d3f:definition\":\"Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the \u003Ccode>net use \\\\\\\\system\\\\share /delete\u003C/code> command. (Citation: Technet Net Use)\",\"rdfs:label\":\"Network Share Connection Removal\"},{\"@id\":\"d3f:T1070.006\",\"d3f:attack-id\":\"T1070.006\",\"d3f:definition\":\"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\",\"rdfs:label\":\"Timestomp\"},{\"@id\":\"d3f:T1070.007\",\"d3f:attack-id\":\"T1070.007\",\"d3f:definition\":\"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\",\"rdfs:label\":\"Clear Network Connection History and Configurations\"},{\"@id\":\"d3f:T1070.008\",\"d3f:attack-id\":\"T1070.008\",\"d3f:definition\":\"Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.\",\"rdfs:label\":\"Clear Mailbox Data\"},{\"@id\":\"d3f:T1070.009\",\"d3f:attack-id\":\"T1070.009\",\"d3f:definition\":\"Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\",\"rdfs:label\":\"Clear Persistence\"},{\"@id\":\"d3f:T1070.010\",\"d3f:attack-id\":\"T1070.010\",\"d3f:definition\":\"Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\",\"rdfs:label\":\"Relocate Malware\"},{\"@id\":\"d3f:T1071\",\"d3f:attack-id\":\"T1071\",\"d3f:definition\":\"Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"Application Layer Protocol\"},{\"@id\":\"d3f:T1071.001\",\"d3f:attack-id\":\"T1071.001\",\"d3f:definition\":\"Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"Web Protocols\"},{\"@id\":\"d3f:T1071.002\",\"d3f:attack-id\":\"T1071.002\",\"d3f:definition\":\"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"File Transfer Protocols\"},{\"@id\":\"d3f:T1071.003\",\"d3f:attack-id\":\"T1071.003\",\"d3f:definition\":\"Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"Mail Protocols\"},{\"@id\":\"d3f:T1071.004\",\"d3f:attack-id\":\"T1071.004\",\"d3f:definition\":\"Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"DNS\"},{\"@id\":\"d3f:T1071.005\",\"d3f:attack-id\":\"T1071.005\",\"d3f:definition\":\"Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\",\"rdfs:label\":\"Publish/Subscribe Protocols\"},{\"@id\":\"d3f:T1072\",\"d3f:attack-id\":\"T1072\",\"d3f:definition\":\"Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.\",\"rdfs:label\":\"Software Deployment Tools\"},{\"@id\":\"d3f:T1073\",\"d3f:attack-id\":\"T1073\",\"d3f:definition\":\"Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)\",\"rdfs:label\":\"DLL Side-Loading\"},{\"@id\":\"d3f:T1074\",\"d3f:attack-id\":\"T1074\",\"d3f:definition\":\"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\",\"rdfs:label\":\"Data Staged\"},{\"@id\":\"d3f:T1074.001\",\"d3f:attack-id\":\"T1074.001\",\"d3f:definition\":\"Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\",\"rdfs:label\":\"Local Data Staging\"},{\"@id\":\"d3f:T1074.002\",\"d3f:attack-id\":\"T1074.002\",\"d3f:definition\":\"Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\",\"rdfs:label\":\"Remote Data Staging\"},{\"@id\":\"d3f:T1075\",\"d3f:attack-id\":\"T1075\",\"d3f:definition\":\"Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\",\"rdfs:label\":\"Pass the Hash\"},{\"@id\":\"d3f:T1076\",\"d3f:attack-id\":\"T1076\",\"d3f:definition\":\"Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.\",\"rdfs:label\":\"Remote Desktop Protocol\"},{\"@id\":\"d3f:T1077\",\"d3f:attack-id\":\"T1077\",\"d3f:definition\":\"Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include \u003Ccode>C$\u003C/code>, \u003Ccode>ADMIN$\u003C/code>, and \u003Ccode>IPC$\u003C/code>.\",\"rdfs:label\":\"Windows Admin Shares\"},{\"@id\":\"d3f:T1078\",\"d3f:attack-id\":\"T1078\",\"d3f:definition\":\"Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\",\"rdfs:label\":\"Valid Accounts\"},{\"@id\":\"d3f:T1078.001\",\"d3f:attack-id\":\"T1078.001\",\"d3f:definition\":\"Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\",\"rdfs:label\":\"Default Accounts\"},{\"@id\":\"d3f:T1078.002\",\"d3f:attack-id\":\"T1078.002\",\"d3f:definition\":\"Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\",\"rdfs:label\":\"Domain Accounts\"},{\"@id\":\"d3f:T1078.003\",\"d3f:attack-id\":\"T1078.003\",\"d3f:definition\":\"Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\",\"rdfs:label\":\"Local Accounts\"},{\"@id\":\"d3f:T1078.004\",\"d3f:attack-id\":\"T1078.004\",\"d3f:definition\":\"Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\",\"rdfs:label\":\"Cloud Accounts\"},{\"@id\":\"d3f:T1079\",\"d3f:attack-id\":\"T1079\",\"d3f:definition\":\"An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.\",\"rdfs:label\":\"Multilayer Encryption\"},{\"@id\":\"d3f:T1080\",\"d3f:attack-id\":\"T1080\",\"d3f:definition\":\"\",\"rdfs:label\":\"Taint Shared Content\"},{\"@id\":\"d3f:T1081\",\"d3f:attack-id\":\"T1081\",\"d3f:definition\":\"Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\",\"rdfs:label\":\"Credentials in Files\"},{\"@id\":\"d3f:T1082\",\"d3f:attack-id\":\"T1082\",\"d3f:definition\":\"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"System Information Discovery\"},{\"@id\":\"d3f:T1083\",\"d3f:attack-id\":\"T1083\",\"d3f:definition\":\"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"File and Directory Discovery\"},{\"@id\":\"d3f:T1084\",\"d3f:attack-id\":\"T1084\",\"d3f:definition\":\"Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)\",\"rdfs:label\":\"Windows Management Instrumentation Event Subscription\"},{\"@id\":\"d3f:T1085\",\"d3f:attack-id\":\"T1085\",\"d3f:definition\":\"The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\",\"rdfs:label\":\"Rundll32\"},{\"@id\":\"d3f:T1086\",\"d3f:attack-id\":\"T1086\",\"d3f:definition\":\"PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.\",\"rdfs:label\":\"PowerShell\"},{\"@id\":\"d3f:T1087\",\"d3f:attack-id\":\"T1087\",\"d3f:definition\":\"Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\",\"rdfs:label\":\"Account Discovery\"},{\"@id\":\"d3f:T1087.001\",\"d3f:attack-id\":\"T1087.001\",\"d3f:definition\":\"Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\",\"rdfs:label\":\"Local Account\"},{\"@id\":\"d3f:T1087.002\",\"d3f:attack-id\":\"T1087.002\",\"d3f:definition\":\"Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\",\"rdfs:label\":\"Domain Account\"},{\"@id\":\"d3f:T1087.003\",\"d3f:attack-id\":\"T1087.003\",\"d3f:definition\":\"Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\",\"rdfs:label\":\"Email Account\"},{\"@id\":\"d3f:T1087.004\",\"d3f:attack-id\":\"T1087.004\",\"d3f:definition\":\"Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\",\"rdfs:label\":\"Cloud Account\"},{\"@id\":\"d3f:T1088\",\"d3f:attack-id\":\"T1088\",\"d3f:definition\":\"Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\",\"rdfs:label\":\"Bypass User Account Control\"},{\"@id\":\"d3f:T1089\",\"d3f:attack-id\":\"T1089\",\"d3f:definition\":\"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.\",\"rdfs:label\":\"Disabling Security Tools\"},{\"@id\":\"d3f:T1090\",\"d3f:attack-id\":\"T1090\",\"d3f:definition\":\"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\",\"rdfs:label\":\"Proxy\"},{\"@id\":\"d3f:T1090.001\",\"d3f:attack-id\":\"T1090.001\",\"d3f:definition\":\"Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\",\"rdfs:label\":\"Internal Proxy\"},{\"@id\":\"d3f:T1090.002\",\"d3f:attack-id\":\"T1090.002\",\"d3f:definition\":\"Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\",\"rdfs:label\":\"External Proxy\"},{\"@id\":\"d3f:T1090.003\",\"d3f:attack-id\":\"T1090.003\",\"d3f:definition\":\"Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\",\"rdfs:label\":\"Multi-hop Proxy\"},{\"@id\":\"d3f:T1090.004\",\"d3f:attack-id\":\"T1090.004\",\"d3f:definition\":\"Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \\\"domainless\\\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\",\"rdfs:label\":\"Domain Fronting\"},{\"@id\":\"d3f:T1091\",\"d3f:attack-id\":\"T1091\",\"d3f:definition\":\"Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.\",\"rdfs:label\":\"Replication Through Removable Media\"},{\"@id\":\"d3f:T1092\",\"d3f:attack-id\":\"T1092\",\"d3f:definition\":\"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.\",\"rdfs:label\":\"Communication Through Removable Media\"},{\"@id\":\"d3f:T1093\",\"d3f:attack-id\":\"T1093\",\"d3f:definition\":\"Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Elastic Process Injection July 2017)\",\"rdfs:label\":\"Process Hollowing\"},{\"@id\":\"d3f:T1094\",\"d3f:attack-id\":\"T1094\",\"d3f:definition\":\"Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.\",\"rdfs:label\":\"Custom Command and Control Protocol\"},{\"@id\":\"d3f:T1095\",\"d3f:attack-id\":\"T1095\",\"d3f:definition\":\"Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\",\"rdfs:label\":\"Non-Application Layer Protocol\"},{\"@id\":\"d3f:T1096\",\"d3f:attack-id\":\"T1096\",\"d3f:definition\":\"Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\",\"rdfs:label\":\"NTFS File Attributes\"},{\"@id\":\"d3f:T1097\",\"d3f:attack-id\":\"T1097\",\"d3f:definition\":\"Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\",\"rdfs:label\":\"Pass the Ticket\"},{\"@id\":\"d3f:T1098\",\"d3f:attack-id\":\"T1098\",\"d3f:definition\":\"Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.\",\"rdfs:label\":\"Account Manipulation\"},{\"@id\":\"d3f:T1098.001\",\"d3f:attack-id\":\"T1098.001\",\"d3f:definition\":\"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\",\"rdfs:label\":\"Additional Cloud Credentials\"},{\"@id\":\"d3f:T1098.002\",\"d3f:attack-id\":\"T1098.002\",\"d3f:definition\":\"Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.\",\"rdfs:label\":\"Additional Email Delegate Permissions\"},{\"@id\":\"d3f:T1098.003\",\"d3f:attack-id\":\"T1098.003\",\"d3f:definition\":\"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\",\"rdfs:label\":\"Additional Cloud Roles\"},{\"@id\":\"d3f:T1098.004\",\"d3f:attack-id\":\"T1098.004\",\"d3f:definition\":\"Adversaries may modify the SSH \u003Ccode>authorized_keys\u003C/code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The \u003Ccode>authorized_keys\u003C/code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under \u003Ccode><user-home>/.ssh/authorized_keys\u003C/code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under \u003Ccode>/etc/ssh/sshd_config\u003C/code>.\",\"rdfs:label\":\"SSH Authorized Keys\"},{\"@id\":\"d3f:T1098.005\",\"d3f:attack-id\":\"T1098.005\",\"d3f:definition\":\"Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\",\"rdfs:label\":\"Device Registration\"},{\"@id\":\"d3f:T1098.006\",\"d3f:attack-id\":\"T1098.006\",\"d3f:definition\":\"An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)\",\"rdfs:label\":\"Additional Container Cluster Roles\"},{\"@id\":\"d3f:T1098.007\",\"d3f:attack-id\":\"T1098.007\",\"d3f:definition\":\"An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.\",\"rdfs:label\":\"Additional Local or Domain Groups\"},{\"@id\":\"d3f:T1099\",\"d3f:attack-id\":\"T1099\",\"d3f:definition\":\"Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)\",\"rdfs:label\":\"Timestomp\"},{\"@id\":\"d3f:T1100\",\"d3f:attack-id\":\"T1100\",\"d3f:definition\":\"A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)\",\"rdfs:label\":\"Web Shell\"},{\"@id\":\"d3f:T1101\",\"d3f:attack-id\":\"T1101\",\"d3f:definition\":\"Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: \u003Ccode>HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages\u003C/code> and \u003Ccode>HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages\u003C/code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.\",\"rdfs:label\":\"Security Support Provider\"},{\"@id\":\"d3f:T1102\",\"d3f:attack-id\":\"T1102\",\"d3f:definition\":\"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\",\"rdfs:label\":\"Web Service\"},{\"@id\":\"d3f:T1102.001\",\"d3f:attack-id\":\"T1102.001\",\"d3f:definition\":\"Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\",\"rdfs:label\":\"Dead Drop Resolver\"},{\"@id\":\"d3f:T1102.002\",\"d3f:attack-id\":\"T1102.002\",\"d3f:definition\":\"Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.\",\"rdfs:label\":\"Bidirectional Communication\"},{\"@id\":\"d3f:T1102.003\",\"d3f:attack-id\":\"T1102.003\",\"d3f:definition\":\"Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\",\"rdfs:label\":\"One-Way Communication\"},{\"@id\":\"d3f:T1103\",\"d3f:attack-id\":\"T1103\",\"d3f:definition\":\"Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys \u003Ccode>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\u003C/code> or \u003Ccode>HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\u003C/code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)\",\"rdfs:label\":\"AppInit DLLs\"},{\"@id\":\"d3f:T1104\",\"d3f:attack-id\":\"T1104\",\"d3f:definition\":\"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\",\"rdfs:label\":\"Multi-Stage Channels\"},{\"@id\":\"d3f:T1105\",\"d3f:attack-id\":\"T1105\",\"d3f:definition\":\"Session is initiated by the client, and may be a custom protocol which is why it is related to generic network traffic instead of file transfer network traffic.\",\"rdfs:label\":\"Ingress Tool Transfer\"},{\"@id\":\"d3f:T1106\",\"d3f:attack-id\":\"T1106\",\"d3f:definition\":\"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\",\"rdfs:label\":\"Native API\"},{\"@id\":\"d3f:T1107\",\"d3f:attack-id\":\"T1107\",\"d3f:definition\":\"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"rdfs:label\":\"File Deletion\"},{\"@id\":\"d3f:T1108\",\"d3f:attack-id\":\"T1108\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**\",\"rdfs:label\":\"Redundant Access\"},{\"@id\":\"d3f:T1109\",\"d3f:attack-id\":\"T1109\",\"d3f:definition\":\"Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1019) but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.\",\"rdfs:label\":\"Component Firmware\"},{\"@id\":\"d3f:T1110\",\"d3f:attack-id\":\"T1110\",\"d3f:definition\":\"Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\",\"rdfs:label\":\"Brute Force\"},{\"@id\":\"d3f:T1110.001\",\"d3f:attack-id\":\"T1110.001\",\"d3f:definition\":\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\",\"rdfs:label\":\"Password Guessing\"},{\"@id\":\"d3f:T1110.002\",\"d3f:attack-id\":\"T1110.002\",\"d3f:definition\":\"Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)\",\"rdfs:label\":\"Password Cracking\"},{\"@id\":\"d3f:T1110.003\",\"d3f:attack-id\":\"T1110.003\",\"d3f:definition\":\"Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\",\"rdfs:label\":\"Password Spraying\"},{\"@id\":\"d3f:T1110.004\",\"d3f:attack-id\":\"T1110.004\",\"d3f:definition\":\"Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\",\"rdfs:label\":\"Credential Stuffing\"},{\"@id\":\"d3f:T1111\",\"d3f:attack-id\":\"T1111\",\"d3f:definition\":\"Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.\",\"rdfs:label\":\"Multi-Factor Authentication Interception\"},{\"@id\":\"d3f:T1112\",\"d3f:attack-id\":\"T1112\",\"d3f:definition\":\"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\",\"rdfs:label\":\"Modify Registry\"},{\"@id\":\"d3f:T1113\",\"d3f:attack-id\":\"T1113\",\"d3f:definition\":\"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as \u003Ccode>CopyFromScreen\u003C/code>, \u003Ccode>xwd\u003C/code>, or \u003Ccode>screencapture\u003C/code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\",\"rdfs:label\":\"Screen Capture\"},{\"@id\":\"d3f:T1114\",\"d3f:attack-id\":\"T1114\",\"d3f:definition\":\"Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.\",\"rdfs:label\":\"Email Collection\"},{\"@id\":\"d3f:T1114.001\",\"d3f:attack-id\":\"T1114.001\",\"d3f:definition\":\"Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\",\"rdfs:label\":\"Local Email Collection\"},{\"@id\":\"d3f:T1114.002\",\"d3f:attack-id\":\"T1114.002\",\"d3f:definition\":\"Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.\",\"rdfs:label\":\"Remote Email Collection\"},{\"@id\":\"d3f:T1114.003\",\"d3f:attack-id\":\"T1114.003\",\"d3f:definition\":\"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\",\"rdfs:label\":\"Email Forwarding Rule\"},{\"@id\":\"d3f:T1115\",\"d3f:attack-id\":\"T1115\",\"d3f:definition\":\"Adversaries may collect data stored in the clipboard from users copying information within or between applications.\",\"rdfs:label\":\"Clipboard Data\"},{\"@id\":\"d3f:T1116\",\"d3f:attack-id\":\"T1116\",\"d3f:definition\":\"Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates)\",\"rdfs:label\":\"Code Signing\"},{\"@id\":\"d3f:T1117\",\"d3f:attack-id\":\"T1117\",\"d3f:definition\":\"Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\",\"rdfs:label\":\"Regsvr32\"},{\"@id\":\"d3f:T1118\",\"d3f:attack-id\":\"T1118\",\"d3f:definition\":\"InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: \u003Ccode>C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v\u003Cversion>\\\\InstallUtil.exe\u003C/code> and \u003Ccode>C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v\u003Cversion>\\\\InstallUtil.exe\u003C/code>. InstallUtil.exe is digitally signed by Microsoft.\",\"rdfs:label\":\"InstallUtil\"},{\"@id\":\"d3f:T1119\",\"d3f:attack-id\":\"T1119\",\"d3f:definition\":\"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.\",\"rdfs:label\":\"Automated Collection\"},{\"@id\":\"d3f:T1120\",\"d3f:attack-id\":\"T1120\",\"d3f:definition\":\"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.\",\"rdfs:label\":\"Peripheral Device Discovery\"},{\"@id\":\"d3f:T1121\",\"d3f:attack-id\":\"T1121\",\"d3f:definition\":\"Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\",\"rdfs:label\":\"Regsvcs/Regasm\"},{\"@id\":\"d3f:T1122\",\"d3f:attack-id\":\"T1122\",\"d3f:definition\":\"The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.\",\"rdfs:label\":\"Component Object Model Hijacking\"},{\"@id\":\"d3f:T1123\",\"d3f:attack-id\":\"T1123\",\"d3f:definition\":\"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)\",\"rdfs:label\":\"Audio Capture\"},{\"@id\":\"d3f:T1124\",\"d3f:attack-id\":\"T1124\",\"d3f:definition\":\"An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or \u003Ccode>systemsetup\u003C/code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)\",\"rdfs:label\":\"System Time Discovery\"},{\"@id\":\"d3f:T1125\",\"d3f:attack-id\":\"T1125\",\"d3f:definition\":\"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\",\"rdfs:label\":\"Video Capture\"},{\"@id\":\"d3f:T1126\",\"d3f:attack-id\":\"T1126\",\"d3f:definition\":\"Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the \u003Ccode>net use \\\\\\\\system\\\\share /delete\u003C/code> command. (Citation: Technet Net Use)\",\"rdfs:label\":\"Network Share Connection Removal\"},{\"@id\":\"d3f:T1127\",\"d3f:attack-id\":\"T1127\",\"d3f:definition\":\"Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\",\"rdfs:label\":\"Trusted Developer Utilities Proxy Execution\"},{\"@id\":\"d3f:T1127.001\",\"d3f:attack-id\":\"T1127.001\",\"d3f:definition\":\"Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\",\"rdfs:label\":\"MSBuild\"},{\"@id\":\"d3f:T1127.002\",\"d3f:attack-id\":\"T1127.002\",\"d3f:definition\":\"Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)\",\"rdfs:label\":\"ClickOnce\"},{\"@id\":\"d3f:T1128\",\"d3f:attack-id\":\"T1128\",\"d3f:definition\":\"Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at \u003Ccode>HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\u003C/code>.\",\"rdfs:label\":\"Netsh Helper DLL\"},{\"@id\":\"d3f:T1129\",\"d3f:attack-id\":\"T1129\",\"d3f:definition\":\"Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\",\"rdfs:label\":\"Shared Modules\"},{\"@id\":\"d3f:T1130\",\"d3f:attack-id\":\"T1130\",\"d3f:definition\":\"Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\",\"rdfs:label\":\"Install Root Certificate\"},{\"@id\":\"d3f:T1131\",\"d3f:attack-id\":\"T1131\",\"d3f:definition\":\"Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\",\"rdfs:label\":\"Authentication Package\"},{\"@id\":\"d3f:T1132\",\"d3f:attack-id\":\"T1132\",\"d3f:definition\":\"Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.\",\"rdfs:label\":\"Data Encoding\"},{\"@id\":\"d3f:T1132.001\",\"d3f:attack-id\":\"T1132.001\",\"d3f:definition\":\"Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.\",\"rdfs:label\":\"Standard Encoding\"},{\"@id\":\"d3f:T1132.002\",\"d3f:attack-id\":\"T1132.002\",\"d3f:definition\":\"Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)\",\"rdfs:label\":\"Non-Standard Encoding\"},{\"@id\":\"d3f:T1133\",\"d3f:attack-id\":\"T1133\",\"d3f:definition\":\"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\",\"rdfs:label\":\"External Remote Services\"},{\"@id\":\"d3f:T1134\",\"d3f:attack-id\":\"T1134\",\"d3f:definition\":\"Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\",\"rdfs:label\":\"Access Token Manipulation\"},{\"@id\":\"d3f:T1134.001\",\"d3f:attack-id\":\"T1134.001\",\"d3f:definition\":\"Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\",\"rdfs:label\":\"Token Impersonation/Theft\"},{\"@id\":\"d3f:T1134.002\",\"d3f:attack-id\":\"T1134.002\",\"d3f:definition\":\"Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as \u003Ccode>CreateProcessWithTokenW\u003C/code> and \u003Ccode>runas\u003C/code>.(Citation: Microsoft RunAs)\",\"rdfs:label\":\"Create Process with Token\"},{\"@id\":\"d3f:T1134.003\",\"d3f:attack-id\":\"T1134.003\",\"d3f:definition\":\"Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\",\"rdfs:label\":\"Make and Impersonate Token\"},{\"@id\":\"d3f:T1134.004\",\"d3f:attack-id\":\"T1134.004\",\"d3f:definition\":\"Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the \u003Ccode>CreateProcess\u003C/code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via \u003Ccode>svchost.exe\u003C/code> or \u003Ccode>consent.exe\u003C/code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\",\"rdfs:label\":\"Parent PID Spoofing\"},{\"@id\":\"d3f:T1134.005\",\"d3f:attack-id\":\"T1134.005\",\"d3f:definition\":\"Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\",\"rdfs:label\":\"SID-History Injection\"},{\"@id\":\"d3f:T1135\",\"d3f:attack-id\":\"T1135\",\"d3f:definition\":\"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\",\"rdfs:label\":\"Network Share Discovery\"},{\"@id\":\"d3f:T1136\",\"d3f:attack-id\":\"T1136\",\"d3f:definition\":\"Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\",\"rdfs:label\":\"Create Account\"},{\"@id\":\"d3f:T1136.001\",\"d3f:attack-id\":\"T1136.001\",\"d3f:definition\":\"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\",\"rdfs:label\":\"Local Account\"},{\"@id\":\"d3f:T1136.002\",\"d3f:attack-id\":\"T1136.002\",\"d3f:definition\":\"Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the \u003Ccode>net user /add /domain\u003C/code> command can be used to create a domain account.(Citation: Savill 1999)\",\"rdfs:label\":\"Domain Account\"},{\"@id\":\"d3f:T1136.003\",\"d3f:attack-id\":\"T1136.003\",\"d3f:definition\":\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\",\"rdfs:label\":\"Cloud Account\"},{\"@id\":\"d3f:T1137\",\"d3f:attack-id\":\"T1137\",\"d3f:definition\":\"Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\",\"rdfs:label\":\"Office Application Startup\"},{\"@id\":\"d3f:T1137.001\",\"d3f:attack-id\":\"T1137.001\",\"d3f:definition\":\"Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\",\"rdfs:label\":\"Office Template Macros\"},{\"@id\":\"d3f:T1137.002\",\"d3f:attack-id\":\"T1137.002\",\"d3f:definition\":\"Adversaries may abuse the Microsoft Office \\\"Office Test\\\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\",\"rdfs:label\":\"Office Test\"},{\"@id\":\"d3f:T1137.003\",\"d3f:attack-id\":\"T1137.003\",\"d3f:definition\":\"Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\",\"rdfs:label\":\"Outlook Forms\"},{\"@id\":\"d3f:T1137.004\",\"d3f:attack-id\":\"T1137.004\",\"d3f:definition\":\"Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\",\"rdfs:label\":\"Outlook Home Page\"},{\"@id\":\"d3f:T1137.005\",\"d3f:attack-id\":\"T1137.005\",\"d3f:definition\":\"Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\",\"rdfs:label\":\"Outlook Rules\"},{\"@id\":\"d3f:T1137.006\",\"d3f:attack-id\":\"T1137.006\",\"d3f:definition\":\"Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\",\"rdfs:label\":\"Add-ins\"},{\"@id\":\"d3f:T1138\",\"d3f:attack-id\":\"T1138\",\"d3f:definition\":\"The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS.\",\"rdfs:label\":\"Application Shimming\"},{\"@id\":\"d3f:T1139\",\"d3f:attack-id\":\"T1139\",\"d3f:definition\":\"Bash keeps track of the commands users type on the command-line with the \\\"history\\\" utility. Once a user logs out, the history is flushed to the user’s \u003Ccode>.bash_history\u003C/code> file. For each user, this file resides at the same location: \u003Ccode>~/.bash_history\u003C/code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)\",\"rdfs:label\":\"Bash History\"},{\"@id\":\"d3f:T1140\",\"d3f:attack-id\":\"T1140\",\"d3f:definition\":\"Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\",\"rdfs:label\":\"Deobfuscate/Decode Files or Information\"},{\"@id\":\"d3f:T1141\",\"d3f:attack-id\":\"T1141\",\"d3f:definition\":\"When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).\",\"rdfs:label\":\"Input Prompt\"},{\"@id\":\"d3f:T1142\",\"d3f:attack-id\":\"T1142\",\"d3f:definition\":\"Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in \u003Ccode>~/Library/Keychains/\u003C/code>,\u003Ccode>/Library/Keychains/\u003C/code>, and \u003Ccode>/Network/Library/Keychains/\u003C/code>. (Citation: Wikipedia keychain) The \u003Ccode>security\u003C/code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\",\"rdfs:label\":\"Keychain\"},{\"@id\":\"d3f:T1143\",\"d3f:attack-id\":\"T1143\",\"d3f:definition\":\"Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\",\"rdfs:label\":\"Hidden Window\"},{\"@id\":\"d3f:T1144\",\"d3f:attack-id\":\"T1144\",\"d3f:definition\":\"In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called \u003Ccode>com.apple.quarantine\u003C/code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.\",\"rdfs:label\":\"Gatekeeper Bypass\"},{\"@id\":\"d3f:T1145\",\"d3f:attack-id\":\"T1145\",\"d3f:definition\":\"Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)\",\"rdfs:label\":\"Private Keys\"},{\"@id\":\"d3f:T1146\",\"d3f:attack-id\":\"T1146\",\"d3f:definition\":\"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable \u003Ccode>HISTFILE\u003C/code>. When a user logs off a system, this information is flushed to a file in the user's home directory called \u003Ccode>~/.bash_history\u003C/code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as \u003Ccode>unset HISTFILE\u003C/code>, \u003Ccode>export HISTFILESIZE=0\u003C/code>, \u003Ccode>history -c\u003C/code>, \u003Ccode>rm ~/.bash_history\u003C/code>.\",\"rdfs:label\":\"Clear Command History\"},{\"@id\":\"d3f:T1147\",\"d3f:attack-id\":\"T1147\",\"d3f:definition\":\"Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in \u003Ccode>/Library/Preferences/com.apple.loginwindow\u003C/code> called \u003Ccode>Hide500Users\u003C/code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: \u003Ccode>sudo dscl . -create /Users/username UniqueID 401\u003C/code> (Citation: Cybereason OSX Pirrit).\",\"rdfs:label\":\"Hidden Users\"},{\"@id\":\"d3f:T1148\",\"d3f:attack-id\":\"T1148\",\"d3f:definition\":\"The \u003Ccode>HISTCONTROL\u003C/code> environment variable keeps track of what should be saved by the \u003Ccode>history\u003C/code> command and eventually into the \u003Ccode>~/.bash_history\u003C/code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \\\"ignorespace\\\". \u003Ccode>HISTCONTROL\u003C/code> can also be set to ignore duplicate commands by setting it to \\\"ignoredups\\\". In some Linux systems, this is set by default to \\\"ignoreboth\\\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. \u003Ccode>HISTCONTROL\u003C/code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.\",\"rdfs:label\":\"HISTCONTROL\"},{\"@id\":\"d3f:T1149\",\"d3f:attack-id\":\"T1149\",\"d3f:definition\":\"**This technique has been deprecated and should no longer be used.**\",\"rdfs:label\":\"LC_MAIN Hijacking\"},{\"@id\":\"d3f:T1150\",\"d3f:attack-id\":\"T1150\",\"d3f:definition\":\"Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by \u003C >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as \u003Ccode>/Library/Preferences\u003C/code> (which execute with elevated privileges) and \u003Ccode>~/Library/Preferences\u003C/code> (which execute with a user's privileges).\",\"rdfs:label\":\"Plist Modification\"},{\"@id\":\"d3f:T1151\",\"d3f:attack-id\":\"T1151\",\"d3f:definition\":\"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \\\"evil.txt \\\" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\",\"rdfs:label\":\"Space after Filename\"},{\"@id\":\"d3f:T1152\",\"d3f:attack-id\":\"T1152\",\"d3f:definition\":\"Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as \u003Ccode>launchctl submit -l \u003ClabelName> -- /Path/to/thing/to/execute \\\"arg\\\" \\\"arg\\\" \\\"arg\\\"\u003C/code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.\",\"rdfs:label\":\"Launchctl\"},{\"@id\":\"d3f:T1153\",\"d3f:attack-id\":\"T1153\",\"d3f:definition\":\"**This technique has been deprecated and should no longer be used.**\",\"rdfs:label\":\"Source\"},{\"@id\":\"d3f:T1154\",\"d3f:attack-id\":\"T1154\",\"d3f:definition\":\"The \u003Ccode>trap\u003C/code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like \u003Ccode>ctrl+c\u003C/code> and \u003Ccode>ctrl+d\u003C/code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format \u003Ccode>trap 'command list' signals\u003C/code> where \\\"command list\\\" will be executed when \\\"signals\\\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)\",\"rdfs:label\":\"Trap\"},{\"@id\":\"d3f:T1155\",\"d3f:attack-id\":\"T1155\",\"d3f:definition\":\"macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the \u003Ccode>osalang\u003C/code> program.\",\"rdfs:label\":\"AppleScript\"},{\"@id\":\"d3f:T1156\",\"d3f:attack-id\":\"T1156\",\"d3f:definition\":\"Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use \u003Ccode>/etc/profile\u003C/code> when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.\",\"rdfs:label\":\"Malicious Shell Modification\"},{\"@id\":\"d3f:T1157\",\"d3f:attack-id\":\"T1157\",\"d3f:definition\":\"macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.\",\"rdfs:label\":\"Dylib Hijacking\"},{\"@id\":\"d3f:T1158\",\"d3f:attack-id\":\"T1158\",\"d3f:definition\":\"To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (\u003Ccode>dir /a\u003C/code> for Windows and \u003Ccode>ls –a\u003C/code> for Linux and macOS).\",\"rdfs:label\":\"Hidden Files and Directories\"},{\"@id\":\"d3f:T1159\",\"d3f:attack-id\":\"T1159\",\"d3f:definition\":\"Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in \u003Ccode>/System/Library/LaunchAgents\u003C/code>, \u003Ccode>/Library/LaunchAgents\u003C/code>, and \u003Ccode>$HOME/Library/LaunchAgents\u003C/code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).\",\"rdfs:label\":\"Launch Agent\"},{\"@id\":\"d3f:T1160\",\"d3f:attack-id\":\"T1160\",\"d3f:definition\":\"Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in \u003Ccode>/System/Library/LaunchDaemons\u003C/code> and \u003Ccode>/Library/LaunchDaemons\u003C/code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).\",\"rdfs:label\":\"Launch Daemon\"},{\"@id\":\"d3f:T1161\",\"d3f:attack-id\":\"T1161\",\"d3f:definition\":\"Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).\",\"rdfs:label\":\"LC_LOAD_DYLIB Addition\"},{\"@id\":\"d3f:T1162\",\"d3f:attack-id\":\"T1162\",\"d3f:definition\":\"MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's \u003Ccode>~/Library/Preferences/\u003C/code> directory in a plist file called \u003Ccode>com.apple.loginitems.plist\u003C/code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method \u003Ccode> SMLoginItemSetEnabled \u003C/code> can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well (Citation: Adding Login Items).\",\"rdfs:label\":\"Login Item\"},{\"@id\":\"d3f:T1163\",\"d3f:attack-id\":\"T1163\",\"d3f:definition\":\"During the boot process, macOS executes \u003Ccode>source /etc/rc.common\u003C/code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\",\"rdfs:label\":\"Rc.common\"},{\"@id\":\"d3f:T1164\",\"d3f:attack-id\":\"T1164\",\"d3f:definition\":\"Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at \u003Ccode>~/Library/Preferences/com.apple.loginwindow.plist\u003C/code> and \u003Ccode>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist\u003C/code>.\",\"rdfs:label\":\"Re-opened Applications\"},{\"@id\":\"d3f:T1165\",\"d3f:attack-id\":\"T1165\",\"d3f:definition\":\"Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, \u003Ccode>/Library/StartupItems\u003C/code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), \u003Ccode>StartupParameters.plist\u003C/code>, reside in the top-level directory.\",\"rdfs:label\":\"Startup Items\"},{\"@id\":\"d3f:T1166\",\"d3f:attack-id\":\"T1166\",\"d3f:definition\":\"When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \\\"s\\\" instead of an \\\"x\\\" when viewing a file's attributes via \u003Ccode>ls -l\u003C/code>. The \u003Ccode>chmod\u003C/code> program can set these bits with via bitmasking, \u003Ccode>chmod 4777 [file]\u003C/code> or via shorthand naming, \u003Ccode>chmod u+s [file]\u003C/code>.\",\"rdfs:label\":\"Setuid and Setgid\"},{\"@id\":\"d3f:T1167\",\"d3f:attack-id\":\"T1167\",\"d3f:definition\":\"In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. (Citation: OS X Keychain)\",\"rdfs:label\":\"Securityd Memory\"},{\"@id\":\"d3f:T1168\",\"d3f:attack-id\":\"T1168\",\"d3f:definition\":\"On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).\",\"rdfs:label\":\"Local Job Scheduling\"},{\"@id\":\"d3f:T1169\",\"d3f:attack-id\":\"T1169\",\"d3f:definition\":\"The sudoers file, \u003Ccode>/etc/sudoers\u003C/code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like \u003Ccode>user1 ALL=(ALL) NOPASSWD: ALL\u003C/code> (Citation: OSX.Dok Malware).\",\"rdfs:label\":\"Sudo\"},{\"@id\":\"d3f:T1170\",\"d3f:attack-id\":\"T1170\",\"d3f:definition\":\"Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension \u003Ccode>.hta\u003C/code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\",\"rdfs:label\":\"Mshta\"},{\"@id\":\"d3f:T1171\",\"d3f:attack-id\":\"T1171\",\"d3f:definition\":\"Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\",\"rdfs:label\":\"LLMNR/NBT-NS Poisoning and Relay\"},{\"@id\":\"d3f:T1172\",\"d3f:attack-id\":\"T1172\",\"d3f:definition\":\"Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \\\"domainless\\\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\",\"rdfs:label\":\"Domain Fronting\"},{\"@id\":\"d3f:T1173\",\"d3f:attack-id\":\"T1173\",\"d3f:definition\":\"Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\",\"rdfs:label\":\"Dynamic Data Exchange\"},{\"@id\":\"d3f:T1174\",\"d3f:attack-id\":\"T1174\",\"d3f:definition\":\"Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.\",\"rdfs:label\":\"Password Filter DLL\"},{\"@id\":\"d3f:T1175\",\"d3f:attack-id\":\"T1175\",\"d3f:definition\":\"**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).**\",\"rdfs:label\":\"Component Object Model and Distributed COM\"},{\"@id\":\"d3f:T1176\",\"d3f:attack-id\":\"T1176\",\"d3f:definition\":\"Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\",\"rdfs:label\":\"Browser Extensions\"},{\"@id\":\"d3f:T1177\",\"d3f:attack-id\":\"T1177\",\"d3f:definition\":\"The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\",\"rdfs:label\":\"LSASS Driver\"},{\"@id\":\"d3f:T1178\",\"d3f:attack-id\":\"T1178\",\"d3f:definition\":\"The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\",\"rdfs:label\":\"SID-History Injection\"},{\"@id\":\"d3f:T1179\",\"d3f:attack-id\":\"T1179\",\"d3f:definition\":\"Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.\",\"rdfs:label\":\"Hooking\"},{\"@id\":\"d3f:T1180\",\"d3f:attack-id\":\"T1180\",\"d3f:definition\":\"Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in \u003Ccode>C:\\\\Windows\\\\System32\\\\\u003C/code>, and \u003Ccode>C:\\\\Windows\\\\sysWOW64\\\\\u003C/code> on 64-bit Windows systems, along with screensavers included with base Windows installations.\",\"rdfs:label\":\"Screensaver\"},{\"@id\":\"d3f:T1181\",\"d3f:attack-id\":\"T1181\",\"d3f:definition\":\"Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\",\"rdfs:label\":\"Extra Window Memory Injection\"},{\"@id\":\"d3f:T1182\",\"d3f:attack-id\":\"T1182\",\"d3f:definition\":\"Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under \u003Ccode>HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\u003C/code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\",\"rdfs:label\":\"AppCert DLLs\"},{\"@id\":\"d3f:T1183\",\"d3f:attack-id\":\"T1183\",\"d3f:definition\":\"Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\\\dbg\\\\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)\",\"rdfs:label\":\"Image File Execution Options Injection\"},{\"@id\":\"d3f:T1184\",\"d3f:attack-id\":\"T1184\",\"d3f:definition\":\"Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\",\"rdfs:label\":\"SSH Hijacking\"},{\"@id\":\"d3f:T1185\",\"d3f:attack-id\":\"T1185\",\"d3f:definition\":\"Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\",\"rdfs:label\":\"Browser Session Hijacking\"},{\"@id\":\"d3f:T1186\",\"d3f:attack-id\":\"T1186\",\"d3f:definition\":\"Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\",\"rdfs:label\":\"Process Doppelgänging\"},{\"@id\":\"d3f:T1187\",\"d3f:attack-id\":\"T1187\",\"d3f:definition\":\"Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\",\"rdfs:label\":\"Forced Authentication\"},{\"@id\":\"d3f:T1188\",\"d3f:attack-id\":\"T1188\",\"d3f:definition\":\"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\",\"rdfs:label\":\"Multi-hop Proxy\"},{\"@id\":\"d3f:T1189\",\"d3f:attack-id\":\"T1189\",\"d3f:definition\":\"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\",\"rdfs:label\":\"Drive-by Compromise\"},{\"@id\":\"d3f:T1190\",\"d3f:attack-id\":\"T1190\",\"d3f:definition\":\"Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\",\"rdfs:label\":\"Exploit Public-Facing Application\"},{\"@id\":\"d3f:T1191\",\"d3f:attack-id\":\"T1191\",\"d3f:definition\":\"The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\",\"rdfs:label\":\"CMSTP\"},{\"@id\":\"d3f:T1192\",\"d3f:attack-id\":\"T1192\",\"d3f:definition\":\"Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.\",\"rdfs:label\":\"Spearphishing Link\"},{\"@id\":\"d3f:T1193\",\"d3f:attack-id\":\"T1193\",\"d3f:definition\":\"Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\",\"rdfs:label\":\"Spearphishing Attachment\"},{\"@id\":\"d3f:T1194\",\"d3f:attack-id\":\"T1194\",\"d3f:definition\":\"Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.\",\"rdfs:label\":\"Spearphishing via Service\"},{\"@id\":\"d3f:T1195\",\"d3f:attack-id\":\"T1195\",\"d3f:definition\":\"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\",\"rdfs:label\":\"Supply Chain Compromise\"},{\"@id\":\"d3f:T1195.001\",\"d3f:attack-id\":\"T1195.001\",\"d3f:definition\":\"Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)\",\"rdfs:label\":\"Compromise Software Dependencies and Development Tools\"},{\"@id\":\"d3f:T1195.002\",\"d3f:attack-id\":\"T1195.002\",\"d3f:definition\":\"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\",\"rdfs:label\":\"Compromise Software Supply Chain\"},{\"@id\":\"d3f:T1195.003\",\"d3f:attack-id\":\"T1195.003\",\"d3f:definition\":\"Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.\",\"rdfs:label\":\"Compromise Hardware Supply Chain\"},{\"@id\":\"d3f:T1196\",\"d3f:attack-id\":\"T1196\",\"d3f:definition\":\"Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\",\"rdfs:label\":\"Control Panel Items\"},{\"@id\":\"d3f:T1197\",\"d3f:attack-id\":\"T1197\",\"d3f:definition\":\"Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\",\"rdfs:label\":\"BITS Jobs\"},{\"@id\":\"d3f:T1198\",\"d3f:attack-id\":\"T1198\",\"d3f:definition\":\"In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\",\"rdfs:label\":\"SIP and Trust Provider Hijacking\"},{\"@id\":\"d3f:T1199\",\"d3f:attack-id\":\"T1199\",\"d3f:definition\":\"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\",\"rdfs:label\":\"Trusted Relationship\"},{\"@id\":\"d3f:T1200\",\"d3f:attack-id\":\"T1200\",\"d3f:definition\":\"Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.\",\"rdfs:label\":\"Hardware Additions\"},{\"@id\":\"d3f:T1201\",\"d3f:attack-id\":\"T1201\",\"d3f:definition\":\"Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\",\"rdfs:label\":\"Password Policy Discovery\"},{\"@id\":\"d3f:T1202\",\"d3f:attack-id\":\"T1202\",\"d3f:definition\":\"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\",\"rdfs:label\":\"Indirect Command Execution\"},{\"@id\":\"d3f:T1203\",\"d3f:attack-id\":\"T1203\",\"d3f:definition\":\"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\",\"rdfs:label\":\"Exploitation for Client Execution\"},{\"@id\":\"d3f:T1204\",\"d3f:attack-id\":\"T1204\",\"d3f:definition\":\"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\",\"rdfs:label\":\"User Execution\"},{\"@id\":\"d3f:T1204.001\",\"d3f:attack-id\":\"T1204.001\",\"d3f:definition\":\"An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).\",\"rdfs:label\":\"Malicious Link\"},{\"@id\":\"d3f:T1204.002\",\"d3f:attack-id\":\"T1204.002\",\"d3f:definition\":\"An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\",\"rdfs:label\":\"Malicious File\"},{\"@id\":\"d3f:T1204.003\",\"d3f:attack-id\":\"T1204.003\",\"d3f:definition\":\"Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\",\"rdfs:label\":\"Malicious Image\"},{\"@id\":\"d3f:T1205\",\"d3f:attack-id\":\"T1205\",\"d3f:definition\":\"Adversaries use traffic signaling techniques, such as sending specific network sequences or magic packets, to covertly trigger actions like opening ports, activating backdoors, or installing filters, facilitating command and control, persistence, and defense evasion.\",\"rdfs:label\":\"Traffic Signaling\"},{\"@id\":\"d3f:T1205.001\",\"d3f:attack-id\":\"T1205.001\",\"d3f:definition\":\"Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\",\"rdfs:label\":\"Port Knocking\"},{\"@id\":\"d3f:T1205.002\",\"d3f:attack-id\":\"T1205.002\",\"d3f:definition\":\"Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\",\"rdfs:label\":\"Socket Filters\"},{\"@id\":\"d3f:T1206\",\"d3f:attack-id\":\"T1206\",\"d3f:definition\":\"The \u003Ccode>sudo\u003C/code> command \\\"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\\\" (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a \u003Ccode>timestamp_timeout\u003C/code> that is the amount of time in minutes between instances of \u003Ccode>sudo\u003C/code> before it will re-prompt for a password. This is because \u003Ccode>sudo\u003C/code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at \u003Ccode>/var/db/sudo\u003C/code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a \u003Ccode>tty_tickets\u003C/code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\",\"rdfs:label\":\"Sudo Caching\"},{\"@id\":\"d3f:T1207\",\"d3f:attack-id\":\"T1207\",\"d3f:definition\":\"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\",\"rdfs:label\":\"Rogue Domain Controller\"},{\"@id\":\"d3f:T1208\",\"d3f:attack-id\":\"T1208\",\"d3f:definition\":\"Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)\",\"rdfs:label\":\"Kerberoasting\"},{\"@id\":\"d3f:T1209\",\"d3f:attack-id\":\"T1209\",\"d3f:definition\":\"The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\",\"rdfs:label\":\"Time Providers\"},{\"@id\":\"d3f:T1210\",\"d3f:attack-id\":\"T1210\",\"d3f:definition\":\"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\",\"rdfs:label\":\"Exploitation of Remote Services\"},{\"@id\":\"d3f:T1211\",\"d3f:attack-id\":\"T1211\",\"d3f:definition\":\"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\",\"rdfs:label\":\"Exploitation for Defense Evasion\"},{\"@id\":\"d3f:T1212\",\"d3f:attack-id\":\"T1212\",\"d3f:definition\":\"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. \",\"rdfs:label\":\"Exploitation for Credential Access\"},{\"@id\":\"d3f:T1213\",\"d3f:attack-id\":\"T1213\",\"d3f:definition\":\"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.\",\"rdfs:label\":\"Data from Information Repositories\"},{\"@id\":\"d3f:T1213.001\",\"d3f:attack-id\":\"T1213.001\",\"d3f:definition\":\"\",\"rdfs:label\":\"Confluence\"},{\"@id\":\"d3f:T1213.002\",\"d3f:attack-id\":\"T1213.002\",\"d3f:definition\":\"Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\",\"rdfs:label\":\"Sharepoint\"},{\"@id\":\"d3f:T1213.003\",\"d3f:attack-id\":\"T1213.003\",\"d3f:definition\":\"Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\",\"rdfs:label\":\"Code Repositories\"},{\"@id\":\"d3f:T1213.004\",\"d3f:attack-id\":\"T1213.004\",\"d3f:definition\":\"Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.\",\"rdfs:label\":\"Customer Relationship Management Software\"},{\"@id\":\"d3f:T1213.005\",\"d3f:attack-id\":\"T1213.005\",\"d3f:definition\":\"Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.\",\"rdfs:label\":\"Messaging Applications\"},{\"@id\":\"d3f:T1214\",\"d3f:attack-id\":\"T1214\",\"d3f:definition\":\"The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\",\"rdfs:label\":\"Credentials in Registry\"},{\"@id\":\"d3f:T1215\",\"d3f:attack-id\":\"T1215\",\"d3f:definition\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)\",\"rdfs:label\":\"Kernel Modules and Extensions\"},{\"@id\":\"d3f:T1216\",\"d3f:attack-id\":\"T1216\",\"d3f:definition\":\"Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)\",\"rdfs:label\":\"System Script Proxy Execution\"},{\"@id\":\"d3f:T1216.001\",\"d3f:attack-id\":\"T1216.001\",\"d3f:definition\":\"Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via \u003Ccode>Cscript.exe\u003C/code>. For example, the following code publishes a printer within the specified domain: \u003Ccode>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com\u003C/code>.(Citation: pubprn)\",\"rdfs:label\":\"PubPrn\"},{\"@id\":\"d3f:T1216.002\",\"d3f:attack-id\":\"T1216.002\",\"d3f:definition\":\"Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)\",\"rdfs:label\":\"SyncAppvPublishingServer\"},{\"@id\":\"d3f:T1217\",\"d3f:attack-id\":\"T1217\",\"d3f:definition\":\"Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\",\"rdfs:label\":\"Browser Information Discovery\"},{\"@id\":\"d3f:T1218\",\"d3f:attack-id\":\"T1218\",\"d3f:definition\":\"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.\",\"rdfs:label\":\"System Binary Proxy Execution\"},{\"@id\":\"d3f:T1218.001\",\"d3f:attack-id\":\"T1218.001\",\"d3f:definition\":\"Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\",\"rdfs:label\":\"Compiled HTML File\"},{\"@id\":\"d3f:T1218.002\",\"d3f:attack-id\":\"T1218.002\",\"d3f:definition\":\"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\",\"rdfs:label\":\"Control Panel\"},{\"@id\":\"d3f:T1218.003\",\"d3f:attack-id\":\"T1218.003\",\"d3f:definition\":\"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\",\"rdfs:label\":\"CMSTP\"},{\"@id\":\"d3f:T1218.004\",\"d3f:attack-id\":\"T1218.004\",\"d3f:definition\":\"Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: \u003Ccode>C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v\u003Cversion>\\\\InstallUtil.exe\u003C/code> and \u003Ccode>C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v\u003Cversion>\\\\InstallUtil.exe\u003C/code>.\",\"rdfs:label\":\"InstallUtil\"},{\"@id\":\"d3f:T1218.005\",\"d3f:attack-id\":\"T1218.005\",\"d3f:definition\":\"Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)\",\"rdfs:label\":\"Mshta\"},{\"@id\":\"d3f:T1218.007\",\"d3f:attack-id\":\"T1218.007\",\"d3f:definition\":\"Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.\",\"rdfs:label\":\"Msiexec\"},{\"@id\":\"d3f:T1218.008\",\"d3f:attack-id\":\"T1218.008\",\"d3f:definition\":\"Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.\",\"rdfs:label\":\"Odbcconf\"},{\"@id\":\"d3f:T1218.009\",\"d3f:attack-id\":\"T1218.009\",\"d3f:definition\":\"Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\",\"rdfs:label\":\"Regsvcs/Regasm\"},{\"@id\":\"d3f:T1218.010\",\"d3f:attack-id\":\"T1218.010\",\"d3f:definition\":\"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)\",\"rdfs:label\":\"Regsvr32\"},{\"@id\":\"d3f:T1218.011\",\"d3f:attack-id\":\"T1218.011\",\"d3f:definition\":\"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: \u003Ccode>rundll32.exe {DLLname, DLLfunction}\u003C/code>).\",\"rdfs:label\":\"Rundll32\"},{\"@id\":\"d3f:T1218.012\",\"d3f:attack-id\":\"T1218.012\",\"d3f:definition\":\"Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\",\"rdfs:label\":\"Verclsid\"},{\"@id\":\"d3f:T1218.013\",\"d3f:attack-id\":\"T1218.013\",\"d3f:definition\":\"Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\",\"rdfs:label\":\"Mavinject\"},{\"@id\":\"d3f:T1218.014\",\"d3f:attack-id\":\"T1218.014\",\"d3f:definition\":\"Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\",\"rdfs:label\":\"MMC\"},{\"@id\":\"d3f:T1218.015\",\"d3f:attack-id\":\"T1218.015\",\"d3f:definition\":\"Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)\",\"rdfs:label\":\"Electron Applications\"},{\"@id\":\"d3f:T1219\",\"d3f:attack-id\":\"T1219\",\"d3f:definition\":\"An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\",\"rdfs:label\":\"Remote Access Software\"},{\"@id\":\"d3f:T1220\",\"d3f:attack-id\":\"T1220\",\"d3f:definition\":\"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\",\"rdfs:label\":\"XSL Script Processing\"},{\"@id\":\"d3f:T1221\",\"d3f:attack-id\":\"T1221\",\"d3f:definition\":\"Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)\",\"rdfs:label\":\"Template Injection\"},{\"@id\":\"d3f:T1222\",\"d3f:attack-id\":\"T1222\",\"d3f:definition\":\"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\",\"rdfs:label\":\"File and Directory Permissions Modification\"},{\"@id\":\"d3f:T1222.001\",\"d3f:attack-id\":\"T1222.001\",\"d3f:definition\":\"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\",\"rdfs:label\":\"Windows File and Directory Permissions Modification\"},{\"@id\":\"d3f:T1222.002\",\"d3f:attack-id\":\"T1222.002\",\"d3f:definition\":\"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\",\"rdfs:label\":\"Linux and Mac File and Directory Permissions Modification\"},{\"@id\":\"d3f:T1223\",\"d3f:attack-id\":\"T1223\",\"d3f:definition\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\",\"rdfs:label\":\"Compiled HTML File\"},{\"@id\":\"d3f:T1480\",\"d3f:attack-id\":\"T1480\",\"d3f:definition\":\"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\",\"rdfs:label\":\"Execution Guardrails\"},{\"@id\":\"d3f:T1480.001\",\"d3f:attack-id\":\"T1480.001\",\"d3f:definition\":\"Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\",\"rdfs:label\":\"Environmental Keying\"},{\"@id\":\"d3f:T1480.002\",\"d3f:attack-id\":\"T1480.002\",\"d3f:definition\":\"Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)\",\"rdfs:label\":\"Mutual Exclusion\"},{\"@id\":\"d3f:T1482\",\"d3f:attack-id\":\"T1482\",\"d3f:definition\":\"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)\",\"rdfs:label\":\"Domain Trust Discovery\"},{\"@id\":\"d3f:T1483\",\"d3f:attack-id\":\"T1483\",\"d3f:definition\":\"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\",\"rdfs:label\":\"Domain Generation Algorithms\"},{\"@id\":\"d3f:T1484\",\"d3f:attack-id\":\"T1484\",\"d3f:definition\":\"Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\",\"rdfs:label\":\"Domain or Tenant Policy Modification\"},{\"@id\":\"d3f:T1484.001\",\"d3f:attack-id\":\"T1484.001\",\"d3f:definition\":\"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\\u003CDOMAIN>\\\\SYSVOL\\\\\u003CDOMAIN>\\\\Policies\\\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\",\"rdfs:label\":\"Group Policy Modification\"},{\"@id\":\"d3f:T1484.002\",\"d3f:attack-id\":\"T1484.002\",\"d3f:definition\":\"Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\",\"rdfs:label\":\"Trust Modification\"},{\"@id\":\"d3f:T1485\",\"d3f:attack-id\":\"T1485\",\"d3f:definition\":\"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as \u003Ccode>del\u003C/code> and \u003Ccode>rm\u003C/code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\",\"rdfs:label\":\"Data Destruction\"},{\"@id\":\"d3f:T1485.001\",\"d3f:attack-id\":\"T1485.001\",\"d3f:definition\":\"Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.\",\"rdfs:label\":\"Lifecycle-Triggered Deletion\"},{\"@id\":\"d3f:T1486\",\"d3f:attack-id\":\"T1486\",\"d3f:definition\":\"Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)\",\"rdfs:label\":\"Data Encrypted for Impact\"},{\"@id\":\"d3f:T1487\",\"d3f:attack-id\":\"T1487\",\"d3f:definition\":\"Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.\",\"rdfs:label\":\"Disk Structure Wipe\"},{\"@id\":\"d3f:T1488\",\"d3f:attack-id\":\"T1488\",\"d3f:definition\":\"Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.\",\"rdfs:label\":\"Disk Content Wipe\"},{\"@id\":\"d3f:T1489\",\"d3f:attack-id\":\"T1489\",\"d3f:definition\":\"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)\",\"rdfs:label\":\"Service Stop\"},{\"@id\":\"d3f:T1490\",\"d3f:attack-id\":\"T1490\",\"d3f:definition\":\"Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\",\"rdfs:label\":\"Inhibit System Recovery\"},{\"@id\":\"d3f:T1491\",\"d3f:attack-id\":\"T1491\",\"d3f:definition\":\"Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.\",\"rdfs:label\":\"Defacement\"},{\"@id\":\"d3f:T1491.001\",\"d3f:attack-id\":\"T1491.001\",\"d3f:definition\":\"An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)\",\"rdfs:label\":\"Internal Defacement\"},{\"@id\":\"d3f:T1491.002\",\"d3f:attack-id\":\"T1491.002\",\"d3f:definition\":\"An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)\",\"rdfs:label\":\"External Defacement\"},{\"@id\":\"d3f:T1492\",\"d3f:attack-id\":\"T1492\",\"d3f:definition\":\"Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Stored Data Manipulation\"},{\"@id\":\"d3f:T1493\",\"d3f:attack-id\":\"T1493\",\"d3f:definition\":\"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Transmitted Data Manipulation\"},{\"@id\":\"d3f:T1494\",\"d3f:attack-id\":\"T1494\",\"d3f:definition\":\"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Runtime Data Manipulation\"},{\"@id\":\"d3f:T1495\",\"d3f:attack-id\":\"T1495\",\"d3f:definition\":\"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\",\"rdfs:label\":\"Firmware Corruption\"},{\"@id\":\"d3f:T1496\",\"d3f:attack-id\":\"T1496\",\"d3f:definition\":\"Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.\",\"rdfs:label\":\"Resource Hijacking\"},{\"@id\":\"d3f:T1496.001\",\"d3f:attack-id\":\"T1496.001\",\"d3f:definition\":\"Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.\",\"rdfs:label\":\"Compute Hijacking\"},{\"@id\":\"d3f:T1496.002\",\"d3f:attack-id\":\"T1496.002\",\"d3f:definition\":\"Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.\",\"rdfs:label\":\"Bandwidth Hijacking\"},{\"@id\":\"d3f:T1496.003\",\"d3f:attack-id\":\"T1496.003\",\"d3f:definition\":\"Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)\",\"rdfs:label\":\"SMS Pumping\"},{\"@id\":\"d3f:T1496.004\",\"d3f:attack-id\":\"T1496.004\",\"d3f:definition\":\"Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.\",\"rdfs:label\":\"Cloud Service Hijacking\"},{\"@id\":\"d3f:T1497\",\"d3f:attack-id\":\"T1497\",\"d3f:definition\":\"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\",\"rdfs:label\":\"Virtualization/Sandbox Evasion\"},{\"@id\":\"d3f:T1497.001\",\"d3f:attack-id\":\"T1497.001\",\"d3f:definition\":\"Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\",\"rdfs:label\":\"System Checks\"},{\"@id\":\"d3f:T1497.002\",\"d3f:attack-id\":\"T1497.002\",\"d3f:definition\":\"Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\",\"rdfs:label\":\"User Activity Based Checks\"},{\"@id\":\"d3f:T1497.003\",\"d3f:attack-id\":\"T1497.003\",\"d3f:definition\":\"Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\",\"rdfs:label\":\"Time Based Evasion\"},{\"@id\":\"d3f:T1498\",\"d3f:attack-id\":\"T1498\",\"d3f:definition\":\"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\",\"rdfs:label\":\"Network Denial of Service\"},{\"@id\":\"d3f:T1498.001\",\"d3f:attack-id\":\"T1498.001\",\"d3f:definition\":\"Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\",\"rdfs:label\":\"Direct Network Flood\"},{\"@id\":\"d3f:T1498.002\",\"d3f:attack-id\":\"T1498.002\",\"d3f:definition\":\"Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.\",\"rdfs:label\":\"Reflection Amplification\"},{\"@id\":\"d3f:T1499\",\"d3f:attack-id\":\"T1499\",\"d3f:definition\":\"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\",\"rdfs:label\":\"Endpoint Denial of Service\"},{\"@id\":\"d3f:T1499.001\",\"d3f:attack-id\":\"T1499.001\",\"d3f:definition\":\"Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.\",\"rdfs:label\":\"OS Exhaustion Flood\"},{\"@id\":\"d3f:T1499.002\",\"d3f:attack-id\":\"T1499.002\",\"d3f:definition\":\"Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\",\"rdfs:label\":\"Service Exhaustion Flood\"},{\"@id\":\"d3f:T1499.003\",\"d3f:attack-id\":\"T1499.003\",\"d3f:definition\":\"Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)\",\"rdfs:label\":\"Application Exhaustion Flood\"},{\"@id\":\"d3f:T1499.004\",\"d3f:attack-id\":\"T1499.004\",\"d3f:definition\":\"Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.\",\"rdfs:label\":\"Application or System Exploitation\"},{\"@id\":\"d3f:T1500\",\"d3f:attack-id\":\"T1500\",\"d3f:definition\":\"Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\",\"rdfs:label\":\"Compile After Delivery\"},{\"@id\":\"d3f:T1501\",\"d3f:attack-id\":\"T1501\",\"d3f:definition\":\"Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\",\"rdfs:label\":\"Systemd Service\"},{\"@id\":\"d3f:T1502\",\"d3f:attack-id\":\"T1502\",\"d3f:definition\":\"Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the \u003Ccode>CreateProcess\u003C/code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via \u003Ccode>svchost.exe\u003C/code> or \u003Ccode>consent.exe\u003C/code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\",\"rdfs:label\":\"Parent PID Spoofing\"},{\"@id\":\"d3f:T1503\",\"d3f:attack-id\":\"T1503\",\"d3f:definition\":\"Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018)\",\"rdfs:label\":\"Credentials from Web Browsers\"},{\"@id\":\"d3f:T1504\",\"d3f:attack-id\":\"T1504\",\"d3f:definition\":\"Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (\u003Ccode>profile.ps1\u003C/code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)\",\"rdfs:label\":\"PowerShell Profile\"},{\"@id\":\"d3f:T1505\",\"d3f:attack-id\":\"T1505\",\"d3f:definition\":\"Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)\",\"rdfs:label\":\"Server Software Component\"},{\"@id\":\"d3f:T1505.001\",\"d3f:attack-id\":\"T1505.001\",\"d3f:definition\":\"Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\",\"rdfs:label\":\"SQL Stored Procedures\"},{\"@id\":\"d3f:T1505.002\",\"d3f:attack-id\":\"T1505.002\",\"d3f:definition\":\"Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.\",\"rdfs:label\":\"Transport Agent\"},{\"@id\":\"d3f:T1505.003\",\"d3f:attack-id\":\"T1505.003\",\"d3f:definition\":\"Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)\",\"rdfs:label\":\"Web Shell\"},{\"@id\":\"d3f:T1505.004\",\"d3f:attack-id\":\"T1505.004\",\"d3f:definition\":\"Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: \u003Ccode>Get{Extension/Filter}Version\u003C/code>, \u003Ccode>Http{Extension/Filter}Proc\u003C/code>, and (optionally) \u003Ccode>Terminate{Extension/Filter}\u003C/code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\",\"rdfs:label\":\"IIS Components\"},{\"@id\":\"d3f:T1505.005\",\"d3f:attack-id\":\"T1505.005\",\"d3f:definition\":\"Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)\",\"rdfs:label\":\"Terminal Services DLL\"},{\"@id\":\"d3f:T1506\",\"d3f:attack-id\":\"T1506\",\"d3f:definition\":\"Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\",\"rdfs:label\":\"Web Session Cookie\"},{\"@id\":\"d3f:T1514\",\"d3f:attack-id\":\"T1514\",\"d3f:definition\":\"Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\",\"rdfs:label\":\"Elevated Execution with Prompt\"},{\"@id\":\"d3f:T1518\",\"d3f:attack-id\":\"T1518\",\"d3f:definition\":\"Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"Software Discovery\"},{\"@id\":\"d3f:T1518.001\",\"d3f:attack-id\":\"T1518.001\",\"d3f:definition\":\"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\",\"rdfs:label\":\"Security Software Discovery\"},{\"@id\":\"d3f:T1519\",\"d3f:attack-id\":\"T1519\",\"d3f:definition\":\"Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at \u003Ccode>/sbin/emond\u003C/code> will load any rules from the \u003Ccode>/etc/emond.d/rules/\u003C/code> directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path \u003Ccode>/private/var/db/emondClients\u003C/code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1160) configuration file at\u003Ccode>/System/Library/LaunchDaemons/com.apple.emond.plist\u003C/code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\",\"rdfs:label\":\"Emond\"},{\"@id\":\"d3f:T1522\",\"d3f:attack-id\":\"T1522\",\"d3f:definition\":\"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\",\"rdfs:label\":\"Cloud Instance Metadata API\"},{\"@id\":\"d3f:T1525\",\"d3f:attack-id\":\"T1525\",\"d3f:definition\":\"Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\",\"rdfs:label\":\"Implant Internal Image\"},{\"@id\":\"d3f:T1526\",\"d3f:attack-id\":\"T1526\",\"d3f:definition\":\"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\",\"rdfs:label\":\"Cloud Service Discovery\"},{\"@id\":\"d3f:T1527\",\"d3f:attack-id\":\"T1527\",\"d3f:definition\":\"Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\",\"rdfs:label\":\"Application Access Token\"},{\"@id\":\"d3f:T1528\",\"d3f:attack-id\":\"T1528\",\"d3f:definition\":\"Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\",\"rdfs:label\":\"Steal Application Access Token\"},{\"@id\":\"d3f:T1529\",\"d3f:attack-id\":\"T1529\",\"d3f:definition\":\"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. \u003Ccode>reload\u003C/code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\",\"rdfs:label\":\"System Shutdown/Reboot\"},{\"@id\":\"d3f:T1530\",\"d3f:attack-id\":\"T1530\",\"d3f:definition\":\"Adversaries may access data from cloud storage.\",\"rdfs:label\":\"Data from Cloud Storage\"},{\"@id\":\"d3f:T1531\",\"d3f:attack-id\":\"T1531\",\"d3f:definition\":\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\",\"rdfs:label\":\"Account Access Removal\"},{\"@id\":\"d3f:T1534\",\"d3f:attack-id\":\"T1534\",\"d3f:definition\":\"After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)\",\"rdfs:label\":\"Internal Spearphishing\"},{\"@id\":\"d3f:T1535\",\"d3f:attack-id\":\"T1535\",\"d3f:definition\":\"Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\",\"rdfs:label\":\"Unused/Unsupported Cloud Regions\"},{\"@id\":\"d3f:T1536\",\"d3f:attack-id\":\"T1536\",\"d3f:definition\":\"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\",\"rdfs:label\":\"Revert Cloud Instance\"},{\"@id\":\"d3f:T1537\",\"d3f:attack-id\":\"T1537\",\"d3f:definition\":\"Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\",\"rdfs:label\":\"Transfer Data to Cloud Account\"},{\"@id\":\"d3f:T1538\",\"d3f:attack-id\":\"T1538\",\"d3f:definition\":\"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\",\"rdfs:label\":\"Cloud Service Dashboard\"},{\"@id\":\"d3f:T1539\",\"d3f:attack-id\":\"T1539\",\"d3f:definition\":\"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\",\"rdfs:label\":\"Steal Web Session Cookie\"},{\"@id\":\"d3f:T1542\",\"d3f:attack-id\":\"T1542\",\"d3f:definition\":\"Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\",\"rdfs:label\":\"Pre-OS Boot\"},{\"@id\":\"d3f:T1542.001\",\"d3f:attack-id\":\"T1542.001\",\"d3f:definition\":\"Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)\",\"rdfs:label\":\"System Firmware\"},{\"@id\":\"d3f:T1542.002\",\"d3f:attack-id\":\"T1542.002\",\"d3f:definition\":\"Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\",\"rdfs:label\":\"Component Firmware\"},{\"@id\":\"d3f:T1542.003\",\"d3f:attack-id\":\"T1542.003\",\"d3f:definition\":\"Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\",\"rdfs:label\":\"Bootkit\"},{\"@id\":\"d3f:T1542.004\",\"d3f:attack-id\":\"T1542.004\",\"d3f:definition\":\"Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\",\"rdfs:label\":\"ROMMONkit\"},{\"@id\":\"d3f:T1542.005\",\"d3f:attack-id\":\"T1542.005\",\"d3f:definition\":\"Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\",\"rdfs:label\":\"TFTP Boot\"},{\"@id\":\"d3f:T1543\",\"d3f:attack-id\":\"T1543\",\"d3f:definition\":\"Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)\",\"rdfs:label\":\"Create or Modify System Process\"},{\"@id\":\"d3f:T1543.001\",\"d3f:attack-id\":\"T1543.001\",\"d3f:definition\":\"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in \u003Ccode>/System/Library/LaunchAgents\u003C/code>, \u003Ccode>/Library/LaunchAgents\u003C/code>, and \u003Ccode>~/Library/LaunchAgents\u003C/code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the \u003Ccode>Label\u003C/code>, \u003Ccode>ProgramArguments \u003C/code>, and \u003Ccode>RunAtLoad\u003C/code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\",\"rdfs:label\":\"Launch Agent\"},{\"@id\":\"d3f:T1543.002\",\"d3f:attack-id\":\"T1543.002\",\"d3f:definition\":\"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.\",\"rdfs:label\":\"Systemd Service\"},{\"@id\":\"d3f:T1543.003\",\"d3f:attack-id\":\"T1543.003\",\"d3f:definition\":\"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\",\"rdfs:label\":\"Windows Service\"},{\"@id\":\"d3f:T1543.004\",\"d3f:attack-id\":\"T1543.004\",\"d3f:definition\":\"Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in \u003Ccode>/System/Library/LaunchDaemons/\u003C/code> and \u003Ccode>/Library/LaunchDaemons/\u003C/code>. Required Launch Daemons parameters include a \u003Ccode>Label\u003C/code> to identify the task, \u003Ccode>Program\u003C/code> to provide a path to the executable, and \u003Ccode>RunAtLoad\u003C/code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\",\"rdfs:label\":\"Launch Daemon\"},{\"@id\":\"d3f:T1543.005\",\"d3f:attack-id\":\"T1543.005\",\"d3f:definition\":\"Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.\",\"rdfs:label\":\"Container Service\"},{\"@id\":\"d3f:T1546\",\"d3f:attack-id\":\"T1546\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\",\"rdfs:label\":\"Event Triggered Execution\"},{\"@id\":\"d3f:T1546.001\",\"d3f:attack-id\":\"T1546.001\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\",\"rdfs:label\":\"Change Default File Association\"},{\"@id\":\"d3f:T1546.002\",\"d3f:attack-id\":\"T1546.002\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in \u003Ccode>C:\\\\Windows\\\\System32\\\\\u003C/code>, and \u003Ccode>C:\\\\Windows\\\\sysWOW64\\\\\u003C/code> on 64-bit Windows systems, along with screensavers included with base Windows installations.\",\"rdfs:label\":\"Screensaver\"},{\"@id\":\"d3f:T1546.003\",\"d3f:attack-id\":\"T1546.003\",\"d3f:definition\":\"Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)\",\"rdfs:label\":\"Windows Management Instrumentation Event Subscription\"},{\"@id\":\"d3f:T1546.004\",\"d3f:attack-id\":\"T1546.004\",\"d3f:definition\":\"Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (\u003Ccode>/etc\u003C/code>) and the user’s home directory (\u003Ccode>~/\u003C/code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.\",\"rdfs:label\":\"Unix Shell Configuration Modification\"},{\"@id\":\"d3f:T1546.005\",\"d3f:attack-id\":\"T1546.005\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The \u003Ccode>trap\u003C/code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like \u003Ccode>ctrl+c\u003C/code> and \u003Ccode>ctrl+d\u003C/code>.\",\"rdfs:label\":\"Trap\"},{\"@id\":\"d3f:T1546.006\",\"d3f:attack-id\":\"T1546.006\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\",\"rdfs:label\":\"LC_LOAD_DYLIB Addition\"},{\"@id\":\"d3f:T1546.007\",\"d3f:attack-id\":\"T1546.007\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at \u003Ccode>HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\u003C/code>.\",\"rdfs:label\":\"Netsh Helper DLL\"},{\"@id\":\"d3f:T1546.008\",\"d3f:attack-id\":\"T1546.008\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"rdfs:label\":\"Accessibility Features\"},{\"@id\":\"d3f:T1546.009\",\"d3f:attack-id\":\"T1546.009\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the \u003Ccode>AppCertDLLs\u003C/code> Registry key under \u003Ccode>HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\\u003C/code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions \u003Ccode>CreateProcess\u003C/code>, \u003Ccode>CreateProcessAsUser\u003C/code>, \u003Ccode>CreateProcessWithLoginW\u003C/code>, \u003Ccode>CreateProcessWithTokenW\u003C/code>, or \u003Ccode>WinExec\u003C/code>. (Citation: Elastic Process Injection July 2017)\",\"rdfs:label\":\"AppCert DLLs\"},{\"@id\":\"d3f:T1546.010\",\"d3f:attack-id\":\"T1546.010\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the \u003Ccode>AppInit_DLLs\u003C/code> value in the Registry keys \u003Ccode>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\u003C/code> or \u003Ccode>HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\u003C/code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\",\"rdfs:label\":\"AppInit DLLs\"},{\"@id\":\"d3f:T1546.011\",\"d3f:attack-id\":\"T1546.011\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\",\"rdfs:label\":\"Application Shimming\"},{\"@id\":\"d3f:T1546.012\",\"d3f:attack-id\":\"T1546.012\",\"d3f:definition\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., \u003Ccode>C:\\\\dbg\\\\ntsd.exe -g notepad.exe\u003C/code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)\",\"rdfs:label\":\"Image File Execution Options Injection\"},{\"@id\":\"d3f:T1546.013\",\"d3f:attack-id\":\"T1546.013\",\"d3f:definition\":\"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (\u003Ccode>profile.ps1\u003C/code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\",\"rdfs:label\":\"PowerShell Profile\"},{\"@id\":\"d3f:T1546.014\",\"d3f:attack-id\":\"T1546.014\",\"d3f:definition\":\"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at \u003Ccode>/sbin/emond\u003C/code> will load any rules from the \u003Ccode>/etc/emond.d/rules/\u003C/code> directory and take action once an explicitly defined event takes place.\",\"rdfs:label\":\"Emond\"},{\"@id\":\"d3f:T1546.015\",\"d3f:attack-id\":\"T1546.015\",\"d3f:definition\":\"Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry.\",\"rdfs:label\":\"Component Object Model Hijacking\"},{\"@id\":\"d3f:T1546.016\",\"d3f:attack-id\":\"T1546.016\",\"d3f:definition\":\"Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\",\"rdfs:label\":\"Installer Packages\"},{\"@id\":\"d3f:T1546.017\",\"d3f:attack-id\":\"T1546.017\",\"d3f:definition\":\"Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)\",\"rdfs:label\":\"Udev Rules\"},{\"@id\":\"d3f:T1547\",\"d3f:attack-id\":\"T1547\",\"d3f:definition\":\"Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\",\"rdfs:label\":\"Boot or Logon Autostart Execution\"},{\"@id\":\"d3f:T1547.001\",\"d3f:attack-id\":\"T1547.001\",\"d3f:definition\":\"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\",\"rdfs:label\":\"Registry Run Keys / Startup Folder\"},{\"@id\":\"d3f:T1547.002\",\"d3f:attack-id\":\"T1547.002\",\"d3f:definition\":\"Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)\",\"rdfs:label\":\"Authentication Package\"},{\"@id\":\"d3f:T1547.003\",\"d3f:attack-id\":\"T1547.003\",\"d3f:definition\":\"Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)\",\"rdfs:label\":\"Time Providers\"},{\"@id\":\"d3f:T1547.004\",\"d3f:attack-id\":\"T1547.004\",\"d3f:definition\":\"Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in \u003Ccode>HKLM\\\\Software[\\\\\\\\Wow6432Node\\\\\\\\]\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\u003C/code> and \u003Ccode>HKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\\u003C/code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)\",\"rdfs:label\":\"Winlogon Helper DLL\"},{\"@id\":\"d3f:T1547.005\",\"d3f:attack-id\":\"T1547.005\",\"d3f:definition\":\"Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\",\"rdfs:label\":\"Security Support Provider\"},{\"@id\":\"d3f:T1547.006\",\"d3f:attack-id\":\"T1547.006\",\"d3f:definition\":\"Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) \",\"rdfs:label\":\"Kernel Modules and Extensions\"},{\"@id\":\"d3f:T1547.007\",\"d3f:attack-id\":\"T1547.007\",\"d3f:definition\":\"Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to \\\"Reopen windows when logging back in\\\".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named \u003Ccode>com.apple.loginwindow.[UUID].plist\u003C/code> within the \u003Ccode>~/Library/Preferences/ByHost\u003C/code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.\",\"rdfs:label\":\"Re-opened Applications\"},{\"@id\":\"d3f:T1547.008\",\"d3f:attack-id\":\"T1547.008\",\"d3f:definition\":\"Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)\",\"rdfs:label\":\"LSASS Driver\"},{\"@id\":\"d3f:T1547.009\",\"d3f:attack-id\":\"T1547.009\",\"d3f:definition\":\"Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\",\"rdfs:label\":\"Shortcut Modification\"},{\"@id\":\"d3f:T1547.010\",\"d3f:attack-id\":\"T1547.010\",\"d3f:definition\":\"Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the \u003Ccode>AddMonitor\u003C/code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in \u003Ccode>C:\\\\Windows\\\\System32\u003C/code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham)\",\"rdfs:label\":\"Port Monitors\"},{\"@id\":\"d3f:T1547.011\",\"d3f:attack-id\":\"T1547.011\",\"d3f:definition\":\"Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, \u003Ccode>Info.plist\u003C/code>, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)\",\"rdfs:label\":\"Plist Modification\"},{\"@id\":\"d3f:T1547.012\",\"d3f:attack-id\":\"T1547.012\",\"d3f:definition\":\"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\",\"rdfs:label\":\"Print Processors\"},{\"@id\":\"d3f:T1547.013\",\"d3f:attack-id\":\"T1547.013\",\"d3f:definition\":\"Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\",\"rdfs:label\":\"XDG Autostart Entries\"},{\"@id\":\"d3f:T1547.014\",\"d3f:attack-id\":\"T1547.014\",\"d3f:definition\":\"Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\",\"rdfs:label\":\"Active Setup\"},{\"@id\":\"d3f:T1547.015\",\"d3f:attack-id\":\"T1547.015\",\"d3f:definition\":\"Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call \u003Ccode>SMLoginItemSetEnabled\u003C/code>.\",\"rdfs:label\":\"Login Items\"},{\"@id\":\"d3f:T1548\",\"d3f:attack-id\":\"T1548\",\"d3f:definition\":\"Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)\",\"rdfs:label\":\"Abuse Elevation Control Mechanism\"},{\"@id\":\"d3f:T1548.001\",\"d3f:attack-id\":\"T1548.001\",\"d3f:definition\":\"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\",\"rdfs:label\":\"Setuid and Setgid\"},{\"@id\":\"d3f:T1548.002\",\"d3f:attack-id\":\"T1548.002\",\"d3f:definition\":\"Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)\",\"rdfs:label\":\"Bypass User Account Control\"},{\"@id\":\"d3f:T1548.003\",\"d3f:attack-id\":\"T1548.003\",\"d3f:definition\":\"Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\",\"rdfs:label\":\"Sudo and Sudo Caching\"},{\"@id\":\"d3f:T1548.004\",\"d3f:attack-id\":\"T1548.004\",\"d3f:definition\":\"Adversaries may leverage the \u003Ccode>AuthorizationExecuteWithPrivileges\u003C/code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.\",\"rdfs:label\":\"Elevated Execution with Prompt\"},{\"@id\":\"d3f:T1548.005\",\"d3f:attack-id\":\"T1548.005\",\"d3f:definition\":\"Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.\",\"rdfs:label\":\"Temporary Elevated Cloud Access\"},{\"@id\":\"d3f:T1548.006\",\"d3f:attack-id\":\"T1548.006\",\"d3f:definition\":\"Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\",\"rdfs:label\":\"TCC Manipulation\"},{\"@id\":\"d3f:T1550\",\"d3f:attack-id\":\"T1550\",\"d3f:definition\":\"Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.\",\"rdfs:label\":\"Use Alternate Authentication Material\"},{\"@id\":\"d3f:T1550.001\",\"d3f:attack-id\":\"T1550.001\",\"d3f:definition\":\"Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\",\"rdfs:label\":\"Application Access Token\"},{\"@id\":\"d3f:T1550.002\",\"d3f:attack-id\":\"T1550.002\",\"d3f:definition\":\"Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\",\"rdfs:label\":\"Pass the Hash\"},{\"@id\":\"d3f:T1550.003\",\"d3f:attack-id\":\"T1550.003\",\"d3f:definition\":\"Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\",\"rdfs:label\":\"Pass the Ticket\"},{\"@id\":\"d3f:T1550.004\",\"d3f:attack-id\":\"T1550.004\",\"d3f:definition\":\"Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\",\"rdfs:label\":\"Web Session Cookie\"},{\"@id\":\"d3f:T1552\",\"d3f:attack-id\":\"T1552\",\"d3f:definition\":\"Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)\",\"rdfs:label\":\"Unsecured Credentials\"},{\"@id\":\"d3f:T1552.001\",\"d3f:attack-id\":\"T1552.001\",\"d3f:definition\":\"Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\",\"rdfs:label\":\"Credentials In Files\"},{\"@id\":\"d3f:T1552.002\",\"d3f:attack-id\":\"T1552.002\",\"d3f:definition\":\"Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\",\"rdfs:label\":\"Credentials in Registry\"},{\"@id\":\"d3f:T1552.003\",\"d3f:attack-id\":\"T1552.003\",\"d3f:definition\":\"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \\\"history\\\" utility. Once a user logs out, the history is flushed to the user’s \u003Ccode>.bash_history\u003C/code> file. For each user, this file resides at the same location: \u003Ccode>~/.bash_history\u003C/code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)\",\"rdfs:label\":\"Bash History\"},{\"@id\":\"d3f:T1552.004\",\"d3f:attack-id\":\"T1552.004\",\"d3f:definition\":\"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.\",\"rdfs:label\":\"Private Keys\"},{\"@id\":\"d3f:T1552.005\",\"d3f:attack-id\":\"T1552.005\",\"d3f:definition\":\"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\",\"rdfs:label\":\"Cloud Instance Metadata API\"},{\"@id\":\"d3f:T1552.006\",\"d3f:attack-id\":\"T1552.006\",\"d3f:definition\":\"Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\",\"rdfs:label\":\"Group Policy Preferences\"},{\"@id\":\"d3f:T1552.007\",\"d3f:attack-id\":\"T1552.007\",\"d3f:definition\":\"Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\",\"rdfs:label\":\"Container API\"},{\"@id\":\"d3f:T1552.008\",\"d3f:attack-id\":\"T1552.008\",\"d3f:definition\":\"Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.\",\"rdfs:label\":\"Chat Messages\"},{\"@id\":\"d3f:T1553\",\"d3f:attack-id\":\"T1553\",\"d3f:definition\":\"Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\",\"rdfs:label\":\"Subvert Trust Controls\"},{\"@id\":\"d3f:T1553.001\",\"d3f:attack-id\":\"T1553.001\",\"d3f:definition\":\"Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )\",\"rdfs:label\":\"Gatekeeper Bypass\"},{\"@id\":\"d3f:T1553.002\",\"d3f:attack-id\":\"T1553.002\",\"d3f:definition\":\"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\",\"rdfs:label\":\"Code Signing\"},{\"@id\":\"d3f:T1553.003\",\"d3f:attack-id\":\"T1553.003\",\"d3f:definition\":\"Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\",\"rdfs:label\":\"SIP and Trust Provider Hijacking\"},{\"@id\":\"d3f:T1553.004\",\"d3f:attack-id\":\"T1553.004\",\"d3f:definition\":\"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\",\"rdfs:label\":\"Install Root Certificate\"},{\"@id\":\"d3f:T1553.005\",\"d3f:attack-id\":\"T1553.005\",\"d3f:definition\":\"Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named \u003Ccode>Zone.Identifier\u003C/code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\",\"rdfs:label\":\"Mark-of-the-Web Bypass\"},{\"@id\":\"d3f:T1553.006\",\"d3f:attack-id\":\"T1553.006\",\"d3f:definition\":\"Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.\",\"rdfs:label\":\"Code Signing Policy Modification\"},{\"@id\":\"d3f:T1554\",\"d3f:attack-id\":\"T1554\",\"d3f:definition\":\"Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\",\"rdfs:label\":\"Compromise Host Software Binary\"},{\"@id\":\"d3f:T1555\",\"d3f:attack-id\":\"T1555\",\"d3f:definition\":\"Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\",\"rdfs:label\":\"Credentials from Password Stores\"},{\"@id\":\"d3f:T1555.001\",\"d3f:attack-id\":\"T1555.001\",\"d3f:definition\":\"Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.\",\"rdfs:label\":\"Keychain\"},{\"@id\":\"d3f:T1555.002\",\"d3f:attack-id\":\"T1555.002\",\"d3f:definition\":\"An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)\",\"rdfs:label\":\"Securityd Memory\"},{\"@id\":\"d3f:T1555.003\",\"d3f:attack-id\":\"T1555.003\",\"d3f:definition\":\"Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\",\"rdfs:label\":\"Credentials from Web Browsers\"},{\"@id\":\"d3f:T1555.004\",\"d3f:attack-id\":\"T1555.004\",\"d3f:definition\":\"Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\",\"rdfs:label\":\"Windows Credential Manager\"},{\"@id\":\"d3f:T1555.005\",\"d3f:attack-id\":\"T1555.005\",\"d3f:definition\":\"Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\",\"rdfs:label\":\"Password Managers\"},{\"@id\":\"d3f:T1555.006\",\"d3f:attack-id\":\"T1555.006\",\"d3f:definition\":\"Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.\",\"rdfs:label\":\"Cloud Secrets Management Stores\"},{\"@id\":\"d3f:T1556\",\"d3f:attack-id\":\"T1556\",\"d3f:definition\":\"Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\",\"rdfs:label\":\"Modify Authentication Process\"},{\"@id\":\"d3f:T1556.001\",\"d3f:attack-id\":\"T1556.001\",\"d3f:definition\":\"Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.\",\"rdfs:label\":\"Domain Controller Authentication\"},{\"@id\":\"d3f:T1556.002\",\"d3f:attack-id\":\"T1556.002\",\"d3f:definition\":\"Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\",\"rdfs:label\":\"Password Filter DLL\"},{\"@id\":\"d3f:T1556.003\",\"d3f:attack-id\":\"T1556.003\",\"d3f:definition\":\"Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is \u003Ccode>pam_unix.so\u003C/code>, which retrieves, sets, and verifies account authentication information in \u003Ccode>/etc/passwd\u003C/code> and \u003Ccode>/etc/shadow\u003C/code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\",\"rdfs:label\":\"Pluggable Authentication Modules\"},{\"@id\":\"d3f:T1556.004\",\"d3f:attack-id\":\"T1556.004\",\"d3f:definition\":\"Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\",\"rdfs:label\":\"Network Device Authentication\"},{\"@id\":\"d3f:T1556.005\",\"d3f:attack-id\":\"T1556.005\",\"d3f:definition\":\"An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The \u003Ccode>AllowReversiblePasswordEncryption\u003C/code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)\",\"rdfs:label\":\"Reversible Encryption\"},{\"@id\":\"d3f:T1556.006\",\"d3f:attack-id\":\"T1556.006\",\"d3f:definition\":\"Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\",\"rdfs:label\":\"Multi-Factor Authentication\"},{\"@id\":\"d3f:T1556.007\",\"d3f:attack-id\":\"T1556.007\",\"d3f:definition\":\"Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.\",\"rdfs:label\":\"Hybrid Identity\"},{\"@id\":\"d3f:T1556.008\",\"d3f:attack-id\":\"T1556.008\",\"d3f:definition\":\"Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)\",\"rdfs:label\":\"Network Provider DLL\"},{\"@id\":\"d3f:T1556.009\",\"d3f:attack-id\":\"T1556.009\",\"d3f:definition\":\"Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\",\"rdfs:label\":\"Conditional Access Policies\"},{\"@id\":\"d3f:T1557\",\"d3f:attack-id\":\"T1557\",\"d3f:definition\":\"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\",\"rdfs:label\":\"Adversary-in-the-Middle\"},{\"@id\":\"d3f:T1557.001\",\"d3f:attack-id\":\"T1557.001\",\"d3f:definition\":\"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.\",\"rdfs:label\":\"LLMNR/NBT-NS Poisoning and SMB Relay\"},{\"@id\":\"d3f:T1557.002\",\"d3f:attack-id\":\"T1557.002\",\"d3f:definition\":\"Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\",\"rdfs:label\":\"ARP Cache Poisoning\"},{\"@id\":\"d3f:T1557.003\",\"d3f:attack-id\":\"T1557.003\",\"d3f:definition\":\"Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\",\"rdfs:label\":\"DHCP Spoofing\"},{\"@id\":\"d3f:T1557.004\",\"d3f:attack-id\":\"T1557.004\",\"d3f:definition\":\"Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia ‘Evil Twin’)\",\"rdfs:label\":\"Evil Twin\"},{\"@id\":\"d3f:T1558\",\"d3f:attack-id\":\"T1558\",\"d3f:definition\":\"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\",\"rdfs:label\":\"Steal or Forge Kerberos Tickets\"},{\"@id\":\"d3f:T1558.001\",\"d3f:attack-id\":\"T1558.001\",\"d3f:definition\":\"Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)\",\"rdfs:label\":\"Golden Ticket\"},{\"@id\":\"d3f:T1558.002\",\"d3f:attack-id\":\"T1558.002\",\"d3f:definition\":\"Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\",\"rdfs:label\":\"Silver Ticket\"},{\"@id\":\"d3f:T1558.003\",\"d3f:attack-id\":\"T1558.003\",\"d3f:definition\":\"Service Provider Name (SPN) scanning is one way to gather hashes, which results in RPC calls conforming to the NSPI protocol.\",\"rdfs:label\":\"Kerberoasting\"},{\"@id\":\"d3f:T1558.004\",\"d3f:attack-id\":\"T1558.004\",\"d3f:definition\":\"Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)\",\"rdfs:label\":\"AS-REP Roasting\"},{\"@id\":\"d3f:T1558.005\",\"d3f:attack-id\":\"T1558.005\",\"d3f:definition\":\"Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials.\",\"rdfs:label\":\"Ccache Files\"},{\"@id\":\"d3f:T1559\",\"d3f:attack-id\":\"T1559\",\"d3f:definition\":\"Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.\",\"rdfs:label\":\"Inter-Process Communication\"},{\"@id\":\"d3f:T1559.001\",\"d3f:attack-id\":\"T1559.001\",\"d3f:definition\":\"Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\",\"rdfs:label\":\"Component Object Model\"},{\"@id\":\"d3f:T1559.002\",\"d3f:attack-id\":\"T1559.002\",\"d3f:definition\":\"Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\",\"rdfs:label\":\"Dynamic Data Exchange\"},{\"@id\":\"d3f:T1559.003\",\"d3f:attack-id\":\"T1559.003\",\"d3f:definition\":\"Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service \u003Ccode>C API\u003C/code> or the high level \u003Ccode>NSXPCConnection API\u003C/code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)\",\"rdfs:label\":\"XPC Services\"},{\"@id\":\"d3f:T1560\",\"d3f:attack-id\":\"T1560\",\"d3f:definition\":\"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\",\"rdfs:label\":\"Archive Collected Data\"},{\"@id\":\"d3f:T1560.001\",\"d3f:attack-id\":\"T1560.001\",\"d3f:definition\":\"Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\",\"rdfs:label\":\"Archive via Utility\"},{\"@id\":\"d3f:T1560.002\",\"d3f:attack-id\":\"T1560.002\",\"d3f:definition\":\"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\",\"rdfs:label\":\"Archive via Library\"},{\"@id\":\"d3f:T1560.003\",\"d3f:attack-id\":\"T1560.003\",\"d3f:definition\":\"An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)\",\"rdfs:label\":\"Archive via Custom Method\"},{\"@id\":\"d3f:T1561\",\"d3f:attack-id\":\"T1561\",\"d3f:definition\":\"Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\",\"rdfs:label\":\"Disk Wipe\"},{\"@id\":\"d3f:T1561.001\",\"d3f:attack-id\":\"T1561.001\",\"d3f:definition\":\"Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\",\"rdfs:label\":\"Disk Content Wipe\"},{\"@id\":\"d3f:T1561.002\",\"d3f:attack-id\":\"T1561.002\",\"d3f:definition\":\"Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.\",\"rdfs:label\":\"Disk Structure Wipe\"},{\"@id\":\"d3f:T1562\",\"d3f:attack-id\":\"T1562\",\"d3f:definition\":\"Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\",\"rdfs:label\":\"Impair Defenses\"},{\"@id\":\"d3f:T1562.001\",\"d3f:attack-id\":\"T1562.001\",\"d3f:definition\":\"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\",\"rdfs:label\":\"Disable or Modify Tools\"},{\"@id\":\"d3f:T1562.002\",\"d3f:attack-id\":\"T1562.002\",\"d3f:definition\":\"Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\",\"rdfs:label\":\"Disable Windows Event Logging\"},{\"@id\":\"d3f:T1562.003\",\"d3f:attack-id\":\"T1562.003\",\"d3f:definition\":\"Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\",\"rdfs:label\":\"Impair Command History Logging\"},{\"@id\":\"d3f:T1562.004\",\"d3f:attack-id\":\"T1562.004\",\"d3f:definition\":\"Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\",\"rdfs:label\":\"Disable or Modify System Firewall\"},{\"@id\":\"d3f:T1562.006\",\"d3f:attack-id\":\"T1562.006\",\"d3f:definition\":\"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\",\"rdfs:label\":\"Indicator Blocking\"},{\"@id\":\"d3f:T1562.007\",\"d3f:attack-id\":\"T1562.007\",\"d3f:definition\":\"Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).\",\"rdfs:label\":\"Disable or Modify Cloud Firewall\"},{\"@id\":\"d3f:T1562.008\",\"d3f:attack-id\":\"T1562.008\",\"d3f:definition\":\"An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\",\"rdfs:label\":\"Disable or Modify Cloud Logs\"},{\"@id\":\"d3f:T1562.009\",\"d3f:attack-id\":\"T1562.009\",\"d3f:definition\":\"Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\",\"rdfs:label\":\"Safe Mode Boot\"},{\"@id\":\"d3f:T1562.010\",\"d3f:attack-id\":\"T1562.010\",\"d3f:definition\":\"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.\",\"rdfs:label\":\"Downgrade Attack\"},{\"@id\":\"d3f:T1562.011\",\"d3f:attack-id\":\"T1562.011\",\"d3f:definition\":\"Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.\",\"rdfs:label\":\"Spoof Security Alerting\"},{\"@id\":\"d3f:T1562.012\",\"d3f:attack-id\":\"T1562.012\",\"d3f:definition\":\"Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.\",\"rdfs:label\":\"Disable or Modify Linux Audit System\"},{\"@id\":\"d3f:T1563\",\"d3f:attack-id\":\"T1563\",\"d3f:definition\":\"Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\",\"rdfs:label\":\"Remote Service Session Hijacking\"},{\"@id\":\"d3f:T1563.001\",\"d3f:attack-id\":\"T1563.001\",\"d3f:definition\":\"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\",\"rdfs:label\":\"SSH Hijacking\"},{\"@id\":\"d3f:T1563.002\",\"d3f:attack-id\":\"T1563.002\",\"d3f:definition\":\"Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\",\"rdfs:label\":\"RDP Hijacking\"},{\"@id\":\"d3f:T1564\",\"d3f:attack-id\":\"T1564\",\"d3f:definition\":\"Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\",\"rdfs:label\":\"Hide Artifacts\"},{\"@id\":\"d3f:T1564.001\",\"d3f:attack-id\":\"T1564.001\",\"d3f:definition\":\"Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (\u003Ccode>dir /a\u003C/code> for Windows and \u003Ccode>ls –a\u003C/code> for Linux and macOS).\",\"rdfs:label\":\"Hidden Files and Directories\"},{\"@id\":\"d3f:T1564.002\",\"d3f:attack-id\":\"T1564.002\",\"d3f:definition\":\"Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.\",\"rdfs:label\":\"Hidden Users\"},{\"@id\":\"d3f:T1564.003\",\"d3f:attack-id\":\"T1564.003\",\"d3f:definition\":\"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\",\"rdfs:label\":\"Hidden Window\"},{\"@id\":\"d3f:T1564.004\",\"d3f:attack-id\":\"T1564.004\",\"d3f:definition\":\"Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\",\"rdfs:label\":\"NTFS File Attributes\"},{\"@id\":\"d3f:T1564.005\",\"d3f:attack-id\":\"T1564.005\",\"d3f:definition\":\"Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\",\"rdfs:label\":\"Hidden File System\"},{\"@id\":\"d3f:T1564.006\",\"d3f:attack-id\":\"T1564.006\",\"d3f:definition\":\"Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\",\"rdfs:label\":\"Run Virtual Instance\"},{\"@id\":\"d3f:T1564.007\",\"d3f:attack-id\":\"T1564.007\",\"d3f:definition\":\"Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\",\"rdfs:label\":\"VBA Stomping\"},{\"@id\":\"d3f:T1564.008\",\"d3f:attack-id\":\"T1564.008\",\"d3f:definition\":\"Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the \u003Ccode>New-InboxRule\u003C/code> or \u003Ccode>Set-InboxRule\u003C/code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\",\"rdfs:label\":\"Email Hiding Rules\"},{\"@id\":\"d3f:T1564.009\",\"d3f:attack-id\":\"T1564.009\",\"d3f:definition\":\"Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using \u003Ccode>ls -l@\u003C/code> or \u003Ccode>xattr -l\u003C/code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the \u003Ccode>/Resources\u003C/code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\",\"rdfs:label\":\"Resource Forking\"},{\"@id\":\"d3f:T1564.010\",\"d3f:attack-id\":\"T1564.010\",\"d3f:definition\":\"Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\",\"rdfs:label\":\"Process Argument Spoofing\"},{\"@id\":\"d3f:T1564.011\",\"d3f:attack-id\":\"T1564.011\",\"d3f:definition\":\"Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.\",\"rdfs:label\":\"Ignore Process Interrupts\"},{\"@id\":\"d3f:T1564.012\",\"d3f:attack-id\":\"T1564.012\",\"d3f:definition\":\"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\",\"rdfs:label\":\"File/Path Exclusions\"},{\"@id\":\"d3f:T1565\",\"d3f:attack-id\":\"T1565\",\"d3f:definition\":\"Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\",\"rdfs:label\":\"Data Manipulation\"},{\"@id\":\"d3f:T1565.001\",\"d3f:attack-id\":\"T1565.001\",\"d3f:definition\":\"Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Stored Data Manipulation\"},{\"@id\":\"d3f:T1565.002\",\"d3f:attack-id\":\"T1565.002\",\"d3f:definition\":\"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Transmitted Data Manipulation\"},{\"@id\":\"d3f:T1565.003\",\"d3f:attack-id\":\"T1565.003\",\"d3f:definition\":\"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\",\"rdfs:label\":\"Runtime Data Manipulation\"},{\"@id\":\"d3f:T1566\",\"d3f:attack-id\":\"T1566\",\"d3f:definition\":\"Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\",\"rdfs:label\":\"Phishing\"},{\"@id\":\"d3f:T1566.001\",\"d3f:attack-id\":\"T1566.001\",\"d3f:definition\":\"Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\",\"rdfs:label\":\"Spearphishing Attachment\"},{\"@id\":\"d3f:T1566.002\",\"d3f:attack-id\":\"T1566.002\",\"d3f:definition\":\"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\",\"rdfs:label\":\"Spearphishing Link\"},{\"@id\":\"d3f:T1566.003\",\"d3f:attack-id\":\"T1566.003\",\"d3f:definition\":\"Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.\",\"rdfs:label\":\"Spearphishing via Service\"},{\"@id\":\"d3f:T1566.004\",\"d3f:attack-id\":\"T1566.004\",\"d3f:definition\":\"Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\",\"rdfs:label\":\"Spearphishing Voice\"},{\"@id\":\"d3f:T1567\",\"d3f:attack-id\":\"T1567\",\"d3f:definition\":\"Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\",\"rdfs:label\":\"Exfiltration Over Web Service\"},{\"@id\":\"d3f:T1567.001\",\"d3f:attack-id\":\"T1567.001\",\"d3f:definition\":\"Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\",\"rdfs:label\":\"Exfiltration to Code Repository\"},{\"@id\":\"d3f:T1567.002\",\"d3f:attack-id\":\"T1567.002\",\"d3f:definition\":\"Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\",\"rdfs:label\":\"Exfiltration to Cloud Storage\"},{\"@id\":\"d3f:T1567.003\",\"d3f:attack-id\":\"T1567.003\",\"d3f:definition\":\"Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as \u003Ccode>pastebin[.]com\u003C/code>, are commonly used by developers to share code and other information.\",\"rdfs:label\":\"Exfiltration to Text Storage Sites\"},{\"@id\":\"d3f:T1567.004\",\"d3f:attack-id\":\"T1567.004\",\"d3f:definition\":\"Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.\",\"rdfs:label\":\"Exfiltration Over Webhook\"},{\"@id\":\"d3f:T1568\",\"d3f:attack-id\":\"T1568\",\"d3f:definition\":\"Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\",\"rdfs:label\":\"Dynamic Resolution\"},{\"@id\":\"d3f:T1568.001\",\"d3f:attack-id\":\"T1568.001\",\"d3f:definition\":\"Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\",\"rdfs:label\":\"Fast Flux DNS\"},{\"@id\":\"d3f:T1568.002\",\"d3f:attack-id\":\"T1568.002\",\"d3f:definition\":\"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\",\"rdfs:label\":\"Domain Generation Algorithms\"},{\"@id\":\"d3f:T1568.003\",\"d3f:attack-id\":\"T1568.003\",\"d3f:definition\":\"Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\",\"rdfs:label\":\"DNS Calculation\"},{\"@id\":\"d3f:T1569\",\"d3f:attack-id\":\"T1569\",\"d3f:definition\":\"This technique has been deprecated.\",\"rdfs:label\":\"System Services\"},{\"@id\":\"d3f:T1569.001\",\"d3f:attack-id\":\"T1569.001\",\"d3f:definition\":\"Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\",\"rdfs:label\":\"Launchctl\"},{\"@id\":\"d3f:T1569.002\",\"d3f:attack-id\":\"T1569.002\",\"d3f:definition\":\"Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (\u003Ccode>services.exe\u003C/code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as \u003Ccode>sc.exe\u003C/code> and [Net](https://attack.mitre.org/software/S0039).\",\"rdfs:label\":\"Service Execution\"},{\"@id\":\"d3f:T1570\",\"d3f:attack-id\":\"T1570\",\"d3f:definition\":\"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\",\"rdfs:label\":\"Lateral Tool Transfer\"},{\"@id\":\"d3f:T1571\",\"d3f:attack-id\":\"T1571\",\"d3f:definition\":\"Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\",\"rdfs:label\":\"Non-Standard Port\"},{\"@id\":\"d3f:T1572\",\"d3f:attack-id\":\"T1572\",\"d3f:definition\":\"Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.\",\"rdfs:label\":\"Protocol Tunneling\"},{\"@id\":\"d3f:T1573\",\"d3f:attack-id\":\"T1573\",\"d3f:definition\":\"Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.\",\"rdfs:label\":\"Encrypted Channel\"},{\"@id\":\"d3f:T1573.001\",\"d3f:attack-id\":\"T1573.001\",\"d3f:definition\":\"Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.\",\"rdfs:label\":\"Symmetric Cryptography\"},{\"@id\":\"d3f:T1573.002\",\"d3f:attack-id\":\"T1573.002\",\"d3f:definition\":\"Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\",\"rdfs:label\":\"Asymmetric Cryptography\"},{\"@id\":\"d3f:T1574\",\"d3f:attack-id\":\"T1574\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\",\"rdfs:label\":\"Hijack Execution Flow\"},{\"@id\":\"d3f:T1574.001\",\"d3f:attack-id\":\"T1574.001\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\",\"rdfs:label\":\"DLL Search Order Hijacking\"},{\"@id\":\"d3f:T1574.002\",\"d3f:attack-id\":\"T1574.002\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\",\"rdfs:label\":\"DLL Side-Loading\"},{\"@id\":\"d3f:T1574.004\",\"d3f:attack-id\":\"T1574.004\",\"d3f:definition\":\"Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with \u003Ccode>@rpath\u003C/code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the \u003Ccode>LC_LOAD_WEAK_DYLIB\u003C/code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\",\"rdfs:label\":\"Dylib Hijacking\"},{\"@id\":\"d3f:T1574.005\",\"d3f:attack-id\":\"T1574.005\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\",\"rdfs:label\":\"Executable Installer File Permissions Weakness\"},{\"@id\":\"d3f:T1574.006\",\"d3f:attack-id\":\"T1574.006\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as \u003Ccode>LD_PRELOAD\u003C/code> on Linux or \u003Ccode>DYLD_INSERT_LIBRARIES\u003C/code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\",\"rdfs:label\":\"Dynamic Linker Hijacking\"},{\"@id\":\"d3f:T1574.007\",\"d3f:attack-id\":\"T1574.007\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.\",\"rdfs:label\":\"Path Interception by PATH Environment Variable\"},{\"@id\":\"d3f:T1574.008\",\"d3f:attack-id\":\"T1574.008\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\",\"rdfs:label\":\"Path Interception by Search Order Hijacking\"},{\"@id\":\"d3f:T1574.009\",\"d3f:attack-id\":\"T1574.009\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\",\"rdfs:label\":\"Path Interception by Unquoted Path\"},{\"@id\":\"d3f:T1574.010\",\"d3f:attack-id\":\"T1574.010\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\",\"rdfs:label\":\"Services File Permissions Weakness\"},{\"@id\":\"d3f:T1574.011\",\"d3f:attack-id\":\"T1574.011\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under \u003Ccode>HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\u003C/code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\",\"rdfs:label\":\"Services Registry Permissions Weakness\"},{\"@id\":\"d3f:T1574.012\",\"d3f:attack-id\":\"T1574.012\",\"d3f:definition\":\"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\",\"rdfs:label\":\"COR_PROFILER\"},{\"@id\":\"d3f:T1574.013\",\"d3f:attack-id\":\"T1574.013\",\"d3f:definition\":\"Adversaries may abuse the \u003Ccode>KernelCallbackTable\u003C/code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The \u003Ccode>KernelCallbackTable\u003C/code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once \u003Ccode>user32.dll\u003C/code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)\",\"rdfs:label\":\"KernelCallbackTable\"},{\"@id\":\"d3f:T1574.014\",\"d3f:attack-id\":\"T1574.014\",\"d3f:definition\":\"Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)\",\"rdfs:label\":\"AppDomainManager\"},{\"@id\":\"d3f:T1578\",\"d3f:attack-id\":\"T1578\",\"d3f:definition\":\"An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\",\"rdfs:label\":\"Modify Cloud Compute Infrastructure\"},{\"@id\":\"d3f:T1578.001\",\"d3f:attack-id\":\"T1578.001\",\"d3f:definition\":\"An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\",\"rdfs:label\":\"Create Snapshot\"},{\"@id\":\"d3f:T1578.002\",\"d3f:attack-id\":\"T1578.002\",\"d3f:definition\":\"An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\",\"rdfs:label\":\"Create Cloud Instance\"},{\"@id\":\"d3f:T1578.003\",\"d3f:attack-id\":\"T1578.003\",\"d3f:definition\":\"An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\",\"rdfs:label\":\"Delete Cloud Instance\"},{\"@id\":\"d3f:T1578.004\",\"d3f:attack-id\":\"T1578.004\",\"d3f:definition\":\"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\",\"rdfs:label\":\"Revert Cloud Instance\"},{\"@id\":\"d3f:T1578.005\",\"d3f:attack-id\":\"T1578.005\",\"d3f:definition\":\"Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\",\"rdfs:label\":\"Modify Cloud Compute Configurations\"},{\"@id\":\"d3f:T1580\",\"d3f:attack-id\":\"T1580\",\"d3f:definition\":\"An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\",\"rdfs:label\":\"Cloud Infrastructure Discovery\"},{\"@id\":\"d3f:T1583\",\"d3f:attack-id\":\"T1583\",\"d3f:definition\":\"Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.\",\"rdfs:label\":\"Acquire Infrastructure\"},{\"@id\":\"d3f:T1583.001\",\"d3f:attack-id\":\"T1583.001\",\"d3f:definition\":\"Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\",\"rdfs:label\":\"Domains\"},{\"@id\":\"d3f:T1583.002\",\"d3f:attack-id\":\"T1583.002\",\"d3f:definition\":\"Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\",\"rdfs:label\":\"DNS Server\"},{\"@id\":\"d3f:T1583.003\",\"d3f:attack-id\":\"T1583.003\",\"d3f:definition\":\"Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\",\"rdfs:label\":\"Virtual Private Server\"},{\"@id\":\"d3f:T1583.004\",\"d3f:attack-id\":\"T1583.004\",\"d3f:definition\":\"Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)\",\"rdfs:label\":\"Server\"},{\"@id\":\"d3f:T1583.005\",\"d3f:attack-id\":\"T1583.005\",\"d3f:definition\":\"Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)\",\"rdfs:label\":\"Botnet\"},{\"@id\":\"d3f:T1583.006\",\"d3f:attack-id\":\"T1583.006\",\"d3f:definition\":\"Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.\",\"rdfs:label\":\"Web Services\"},{\"@id\":\"d3f:T1583.007\",\"d3f:attack-id\":\"T1583.007\",\"d3f:definition\":\"Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\",\"rdfs:label\":\"Serverless\"},{\"@id\":\"d3f:T1583.008\",\"d3f:attack-id\":\"T1583.008\",\"d3f:definition\":\"Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.\",\"rdfs:label\":\"Malvertising\"},{\"@id\":\"d3f:T1584\",\"d3f:attack-id\":\"T1584\",\"d3f:definition\":\"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\",\"rdfs:label\":\"Compromise Infrastructure\"},{\"@id\":\"d3f:T1584.001\",\"d3f:attack-id\":\"T1584.001\",\"d3f:definition\":\"Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\",\"rdfs:label\":\"Domains\"},{\"@id\":\"d3f:T1584.002\",\"d3f:attack-id\":\"T1584.002\",\"d3f:definition\":\"Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\",\"rdfs:label\":\"DNS Server\"},{\"@id\":\"d3f:T1584.003\",\"d3f:attack-id\":\"T1584.003\",\"d3f:definition\":\"Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\",\"rdfs:label\":\"Virtual Private Server\"},{\"@id\":\"d3f:T1584.004\",\"d3f:attack-id\":\"T1584.004\",\"d3f:definition\":\"Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\",\"rdfs:label\":\"Server\"},{\"@id\":\"d3f:T1584.005\",\"d3f:attack-id\":\"T1584.005\",\"d3f:definition\":\"Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).\",\"rdfs:label\":\"Botnet\"},{\"@id\":\"d3f:T1584.006\",\"d3f:attack-id\":\"T1584.006\",\"d3f:definition\":\"Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.\",\"rdfs:label\":\"Web Services\"},{\"@id\":\"d3f:T1584.007\",\"d3f:attack-id\":\"T1584.007\",\"d3f:definition\":\"Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\",\"rdfs:label\":\"Serverless\"},{\"@id\":\"d3f:T1584.008\",\"d3f:attack-id\":\"T1584.008\",\"d3f:definition\":\"Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.\",\"rdfs:label\":\"Network Devices\"},{\"@id\":\"d3f:T1585\",\"d3f:attack-id\":\"T1585\",\"d3f:definition\":\"Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\",\"rdfs:label\":\"Establish Accounts\"},{\"@id\":\"d3f:T1585.001\",\"d3f:attack-id\":\"T1585.001\",\"d3f:definition\":\"Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\",\"rdfs:label\":\"Social Media Accounts\"},{\"@id\":\"d3f:T1585.002\",\"d3f:attack-id\":\"T1585.002\",\"d3f:definition\":\"Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)\",\"rdfs:label\":\"Email Accounts\"},{\"@id\":\"d3f:T1585.003\",\"d3f:attack-id\":\"T1585.003\",\"d3f:definition\":\"Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\",\"rdfs:label\":\"Cloud Accounts\"},{\"@id\":\"d3f:T1586\",\"d3f:attack-id\":\"T1586\",\"d3f:definition\":\"Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.\",\"rdfs:label\":\"Compromise Accounts\"},{\"@id\":\"d3f:T1586.001\",\"d3f:attack-id\":\"T1586.001\",\"d3f:definition\":\"Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.\",\"rdfs:label\":\"Social Media Accounts\"},{\"@id\":\"d3f:T1586.002\",\"d3f:attack-id\":\"T1586.002\",\"d3f:definition\":\"Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\",\"rdfs:label\":\"Email Accounts\"},{\"@id\":\"d3f:T1586.003\",\"d3f:attack-id\":\"T1586.003\",\"d3f:definition\":\"Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\",\"rdfs:label\":\"Cloud Accounts\"},{\"@id\":\"d3f:T1587\",\"d3f:attack-id\":\"T1587\",\"d3f:definition\":\"Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\",\"rdfs:label\":\"Develop Capabilities\"},{\"@id\":\"d3f:T1587.001\",\"d3f:attack-id\":\"T1587.001\",\"d3f:definition\":\"Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\",\"rdfs:label\":\"Malware\"},{\"@id\":\"d3f:T1587.002\",\"d3f:attack-id\":\"T1587.002\",\"d3f:definition\":\"Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\",\"rdfs:label\":\"Code Signing Certificates\"},{\"@id\":\"d3f:T1587.003\",\"d3f:attack-id\":\"T1587.003\",\"d3f:definition\":\"Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\",\"rdfs:label\":\"Digital Certificates\"},{\"@id\":\"d3f:T1587.004\",\"d3f:attack-id\":\"T1587.004\",\"d3f:definition\":\"Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\",\"rdfs:label\":\"Exploits\"},{\"@id\":\"d3f:T1588\",\"d3f:attack-id\":\"T1588\",\"d3f:definition\":\"Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\",\"rdfs:label\":\"Obtain Capabilities\"},{\"@id\":\"d3f:T1588.001\",\"d3f:attack-id\":\"T1588.001\",\"d3f:definition\":\"Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\",\"rdfs:label\":\"Malware\"},{\"@id\":\"d3f:T1588.002\",\"d3f:attack-id\":\"T1588.002\",\"d3f:definition\":\"Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\",\"rdfs:label\":\"Tool\"},{\"@id\":\"d3f:T1588.003\",\"d3f:attack-id\":\"T1588.003\",\"d3f:definition\":\"Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\",\"rdfs:label\":\"Code Signing Certificates\"},{\"@id\":\"d3f:T1588.004\",\"d3f:attack-id\":\"T1588.004\",\"d3f:definition\":\"Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\",\"rdfs:label\":\"Digital Certificates\"},{\"@id\":\"d3f:T1588.005\",\"d3f:attack-id\":\"T1588.005\",\"d3f:definition\":\"Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\",\"rdfs:label\":\"Exploits\"},{\"@id\":\"d3f:T1588.006\",\"d3f:attack-id\":\"T1588.006\",\"d3f:definition\":\"Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\",\"rdfs:label\":\"Vulnerabilities\"},{\"@id\":\"d3f:T1588.007\",\"d3f:attack-id\":\"T1588.007\",\"d3f:definition\":\"Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)\",\"rdfs:label\":\"Artificial Intelligence\"},{\"@id\":\"d3f:T1589\",\"d3f:attack-id\":\"T1589\",\"d3f:definition\":\"Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\",\"rdfs:label\":\"Gather Victim Identity Information\"},{\"@id\":\"d3f:T1589.001\",\"d3f:attack-id\":\"T1589.001\",\"d3f:definition\":\"Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\",\"rdfs:label\":\"Credentials\"},{\"@id\":\"d3f:T1589.002\",\"d3f:attack-id\":\"T1589.002\",\"d3f:definition\":\"Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\",\"rdfs:label\":\"Email Addresses\"},{\"@id\":\"d3f:T1589.003\",\"d3f:attack-id\":\"T1589.003\",\"d3f:definition\":\"Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\",\"rdfs:label\":\"Employee Names\"},{\"@id\":\"d3f:T1590\",\"d3f:attack-id\":\"T1590\",\"d3f:definition\":\"Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\",\"rdfs:label\":\"Gather Victim Network Information\"},{\"@id\":\"d3f:T1590.001\",\"d3f:attack-id\":\"T1590.001\",\"d3f:definition\":\"Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\",\"rdfs:label\":\"Domain Properties\"},{\"@id\":\"d3f:T1590.002\",\"d3f:attack-id\":\"T1590.002\",\"d3f:definition\":\"Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\",\"rdfs:label\":\"DNS\"},{\"@id\":\"d3f:T1590.003\",\"d3f:attack-id\":\"T1590.003\",\"d3f:definition\":\"Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\",\"rdfs:label\":\"Network Trust Dependencies\"},{\"@id\":\"d3f:T1590.004\",\"d3f:attack-id\":\"T1590.004\",\"d3f:definition\":\"Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\",\"rdfs:label\":\"Network Topology\"},{\"@id\":\"d3f:T1590.005\",\"d3f:attack-id\":\"T1590.005\",\"d3f:definition\":\"Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\",\"rdfs:label\":\"IP Addresses\"},{\"@id\":\"d3f:T1590.006\",\"d3f:attack-id\":\"T1590.006\",\"d3f:definition\":\"Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\",\"rdfs:label\":\"Network Security Appliances\"},{\"@id\":\"d3f:T1591\",\"d3f:attack-id\":\"T1591\",\"d3f:definition\":\"Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\",\"rdfs:label\":\"Gather Victim Org Information\"},{\"@id\":\"d3f:T1591.001\",\"d3f:attack-id\":\"T1591.001\",\"d3f:definition\":\"Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\",\"rdfs:label\":\"Determine Physical Locations\"},{\"@id\":\"d3f:T1591.002\",\"d3f:attack-id\":\"T1591.002\",\"d3f:definition\":\"Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\",\"rdfs:label\":\"Business Relationships\"},{\"@id\":\"d3f:T1591.003\",\"d3f:attack-id\":\"T1591.003\",\"d3f:definition\":\"Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\",\"rdfs:label\":\"Identify Business Tempo\"},{\"@id\":\"d3f:T1591.004\",\"d3f:attack-id\":\"T1591.004\",\"d3f:definition\":\"Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\",\"rdfs:label\":\"Identify Roles\"},{\"@id\":\"d3f:T1592\",\"d3f:attack-id\":\"T1592\",\"d3f:definition\":\"Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\",\"rdfs:label\":\"Gather Victim Host Information\"},{\"@id\":\"d3f:T1592.001\",\"d3f:attack-id\":\"T1592.001\",\"d3f:definition\":\"Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\",\"rdfs:label\":\"Hardware\"},{\"@id\":\"d3f:T1592.002\",\"d3f:attack-id\":\"T1592.002\",\"d3f:definition\":\"Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\",\"rdfs:label\":\"Software\"},{\"@id\":\"d3f:T1592.003\",\"d3f:attack-id\":\"T1592.003\",\"d3f:definition\":\"Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\",\"rdfs:label\":\"Firmware\"},{\"@id\":\"d3f:T1592.004\",\"d3f:attack-id\":\"T1592.004\",\"d3f:definition\":\"Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\",\"rdfs:label\":\"Client Configurations\"},{\"@id\":\"d3f:T1593\",\"d3f:attack-id\":\"T1593\",\"d3f:definition\":\"Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\",\"rdfs:label\":\"Search Open Websites/Domains\"},{\"@id\":\"d3f:T1593.001\",\"d3f:attack-id\":\"T1593.001\",\"d3f:definition\":\"Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\",\"rdfs:label\":\"Social Media\"},{\"@id\":\"d3f:T1593.002\",\"d3f:attack-id\":\"T1593.002\",\"d3f:definition\":\"Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\",\"rdfs:label\":\"Search Engines\"},{\"@id\":\"d3f:T1593.003\",\"d3f:attack-id\":\"T1593.003\",\"d3f:definition\":\"Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\",\"rdfs:label\":\"Code Repositories\"},{\"@id\":\"d3f:T1594\",\"d3f:attack-id\":\"T1594\",\"d3f:definition\":\"Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\",\"rdfs:label\":\"Search Victim-Owned Websites\"},{\"@id\":\"d3f:T1595\",\"d3f:attack-id\":\"T1595\",\"d3f:definition\":\"Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\",\"rdfs:label\":\"Active Scanning\"},{\"@id\":\"d3f:T1595.001\",\"d3f:attack-id\":\"T1595.001\",\"d3f:definition\":\"Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\",\"rdfs:label\":\"Scanning IP Blocks\"},{\"@id\":\"d3f:T1595.002\",\"d3f:attack-id\":\"T1595.002\",\"d3f:definition\":\"Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\",\"rdfs:label\":\"Vulnerability Scanning\"},{\"@id\":\"d3f:T1595.003\",\"d3f:attack-id\":\"T1595.003\",\"d3f:definition\":\"Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).\",\"rdfs:label\":\"Wordlist Scanning\"},{\"@id\":\"d3f:T1596\",\"d3f:attack-id\":\"T1596\",\"d3f:definition\":\"Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\",\"rdfs:label\":\"Search Open Technical Databases\"},{\"@id\":\"d3f:T1596.001\",\"d3f:attack-id\":\"T1596.001\",\"d3f:definition\":\"Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\",\"rdfs:label\":\"DNS/Passive DNS\"},{\"@id\":\"d3f:T1596.002\",\"d3f:attack-id\":\"T1596.002\",\"d3f:definition\":\"Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\",\"rdfs:label\":\"WHOIS\"},{\"@id\":\"d3f:T1596.003\",\"d3f:attack-id\":\"T1596.003\",\"d3f:definition\":\"Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\",\"rdfs:label\":\"Digital Certificates\"},{\"@id\":\"d3f:T1596.004\",\"d3f:attack-id\":\"T1596.004\",\"d3f:definition\":\"Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\",\"rdfs:label\":\"CDNs\"},{\"@id\":\"d3f:T1596.005\",\"d3f:attack-id\":\"T1596.005\",\"d3f:definition\":\"Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\",\"rdfs:label\":\"Scan Databases\"},{\"@id\":\"d3f:T1597\",\"d3f:attack-id\":\"T1597\",\"d3f:definition\":\"Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\",\"rdfs:label\":\"Search Closed Sources\"},{\"@id\":\"d3f:T1597.001\",\"d3f:attack-id\":\"T1597.001\",\"d3f:definition\":\"Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\",\"rdfs:label\":\"Threat Intel Vendors\"},{\"@id\":\"d3f:T1597.002\",\"d3f:attack-id\":\"T1597.002\",\"d3f:definition\":\"Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\",\"rdfs:label\":\"Purchase Technical Data\"},{\"@id\":\"d3f:T1598\",\"d3f:attack-id\":\"T1598\",\"d3f:definition\":\"Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\",\"rdfs:label\":\"Phishing for Information\"},{\"@id\":\"d3f:T1598.001\",\"d3f:attack-id\":\"T1598.001\",\"d3f:definition\":\"Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\",\"rdfs:label\":\"Spearphishing Service\"},{\"@id\":\"d3f:T1598.002\",\"d3f:attack-id\":\"T1598.002\",\"d3f:definition\":\"Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\",\"rdfs:label\":\"Spearphishing Attachment\"},{\"@id\":\"d3f:T1598.003\",\"d3f:attack-id\":\"T1598.003\",\"d3f:definition\":\"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\",\"rdfs:label\":\"Spearphishing Link\"},{\"@id\":\"d3f:T1598.004\",\"d3f:attack-id\":\"T1598.004\",\"d3f:definition\":\"Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\",\"rdfs:label\":\"Spearphishing Voice\"},{\"@id\":\"d3f:T1599\",\"d3f:attack-id\":\"T1599\",\"d3f:definition\":\"Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\",\"rdfs:label\":\"Network Boundary Bridging\"},{\"@id\":\"d3f:T1599.001\",\"d3f:attack-id\":\"T1599.001\",\"d3f:definition\":\"Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\",\"rdfs:label\":\"Network Address Translation Traversal\"},{\"@id\":\"d3f:T1600\",\"d3f:attack-id\":\"T1600\",\"d3f:definition\":\"Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\",\"rdfs:label\":\"Weaken Encryption\"},{\"@id\":\"d3f:T1600.001\",\"d3f:attack-id\":\"T1600.001\",\"d3f:definition\":\"Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\",\"rdfs:label\":\"Reduce Key Space\"},{\"@id\":\"d3f:T1600.002\",\"d3f:attack-id\":\"T1600.002\",\"d3f:definition\":\"Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\",\"rdfs:label\":\"Disable Crypto Hardware\"},{\"@id\":\"d3f:T1601\",\"d3f:attack-id\":\"T1601\",\"d3f:definition\":\"Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\",\"rdfs:label\":\"Modify System Image\"},{\"@id\":\"d3f:T1601.001\",\"d3f:attack-id\":\"T1601.001\",\"d3f:definition\":\"Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\",\"rdfs:label\":\"Patch System Image\"},{\"@id\":\"d3f:T1601.002\",\"d3f:attack-id\":\"T1601.002\",\"d3f:definition\":\"Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\",\"rdfs:label\":\"Downgrade System Image\"},{\"@id\":\"d3f:T1602\",\"d3f:attack-id\":\"T1602\",\"d3f:definition\":\"Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\",\"rdfs:label\":\"Data from Configuration Repository\"},{\"@id\":\"d3f:T1602.001\",\"d3f:attack-id\":\"T1602.001\",\"d3f:definition\":\"Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\",\"rdfs:label\":\"SNMP (MIB Dump)\"},{\"@id\":\"d3f:T1602.002\",\"d3f:attack-id\":\"T1602.002\",\"d3f:definition\":\"Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\",\"rdfs:label\":\"Network Device Configuration Dump\"},{\"@id\":\"d3f:T1606\",\"d3f:attack-id\":\"T1606\",\"d3f:definition\":\"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\",\"rdfs:label\":\"Forge Web Credentials\"},{\"@id\":\"d3f:T1606.001\",\"d3f:attack-id\":\"T1606.001\",\"d3f:definition\":\"Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\",\"rdfs:label\":\"Web Cookies\"},{\"@id\":\"d3f:T1606.002\",\"d3f:attack-id\":\"T1606.002\",\"d3f:definition\":\"An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the \u003Ccode>NotOnOrAfter\u003C/code> value of the \u003Ccode>conditions ...\u003C/code> element in a token. This value can be changed using the \u003Ccode>AccessTokenLifetime\u003C/code> in a \u003Ccode>LifetimeTokenPolicy\u003C/code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\",\"rdfs:label\":\"SAML Tokens\"},{\"@id\":\"d3f:T1608\",\"d3f:attack-id\":\"T1608\",\"d3f:definition\":\"Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)\",\"rdfs:label\":\"Stage Capabilities\"},{\"@id\":\"d3f:T1608.001\",\"d3f:attack-id\":\"T1608.001\",\"d3f:definition\":\"Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\",\"rdfs:label\":\"Upload Malware\"},{\"@id\":\"d3f:T1608.002\",\"d3f:attack-id\":\"T1608.002\",\"d3f:definition\":\"Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\",\"rdfs:label\":\"Upload Tool\"},{\"@id\":\"d3f:T1608.003\",\"d3f:attack-id\":\"T1608.003\",\"d3f:definition\":\"Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)\",\"rdfs:label\":\"Install Digital Certificate\"},{\"@id\":\"d3f:T1608.004\",\"d3f:attack-id\":\"T1608.004\",\"d3f:definition\":\"Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\",\"rdfs:label\":\"Drive-by Target\"},{\"@id\":\"d3f:T1608.005\",\"d3f:attack-id\":\"T1608.005\",\"d3f:definition\":\"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.\",\"rdfs:label\":\"Link Target\"},{\"@id\":\"d3f:T1608.006\",\"d3f:attack-id\":\"T1608.006\",\"d3f:definition\":\"Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)\",\"rdfs:label\":\"SEO Poisoning\"},{\"@id\":\"d3f:T1609\",\"d3f:attack-id\":\"T1609\",\"d3f:definition\":\"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)\",\"rdfs:label\":\"Container Administration Command\"},{\"@id\":\"d3f:T1610\",\"d3f:attack-id\":\"T1610\",\"d3f:definition\":\"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\",\"rdfs:label\":\"Deploy Container\"},{\"@id\":\"d3f:T1611\",\"d3f:attack-id\":\"T1611\",\"d3f:definition\":\"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\",\"rdfs:label\":\"Escape to Host\"},{\"@id\":\"d3f:T1612\",\"d3f:attack-id\":\"T1612\",\"d3f:definition\":\"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote \u003Ccode>build\u003C/code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\",\"rdfs:label\":\"Build Image on Host\"},{\"@id\":\"d3f:T1613\",\"d3f:attack-id\":\"T1613\",\"d3f:definition\":\"Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\",\"rdfs:label\":\"Container and Resource Discovery\"},{\"@id\":\"d3f:T1614\",\"d3f:attack-id\":\"T1614\",\"d3f:definition\":\"\",\"rdfs:label\":\"System Location Discovery\"},{\"@id\":\"d3f:T1614.001\",\"d3f:attack-id\":\"T1614.001\",\"d3f:definition\":\"Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\",\"rdfs:label\":\"System Language Discovery\"},{\"@id\":\"d3f:T1615\",\"d3f:attack-id\":\"T1615\",\"d3f:definition\":\"Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\\u003CDOMAIN>\\\\SYSVOL\\\\\u003CDOMAIN>\\\\Policies\\\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\",\"rdfs:label\":\"Group Policy Discovery\"},{\"@id\":\"d3f:T1619\",\"d3f:attack-id\":\"T1619\",\"d3f:definition\":\"Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\",\"rdfs:label\":\"Cloud Storage Object Discovery\"},{\"@id\":\"d3f:T1620\",\"d3f:attack-id\":\"T1620\",\"d3f:definition\":\"Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).\",\"rdfs:label\":\"Reflective Code Loading\"},{\"@id\":\"d3f:T1621\",\"d3f:attack-id\":\"T1621\",\"d3f:definition\":\"Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\",\"rdfs:label\":\"Multi-Factor Authentication Request Generation\"},{\"@id\":\"d3f:T1622\",\"d3f:attack-id\":\"T1622\",\"d3f:definition\":\"Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\",\"rdfs:label\":\"Debugger Evasion\"},{\"@id\":\"d3f:T1647\",\"d3f:attack-id\":\"T1647\",\"d3f:definition\":\"Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the \u003Ccode>info.plist\u003C/code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)\",\"rdfs:label\":\"Plist File Modification\"},{\"@id\":\"d3f:T1648\",\"d3f:attack-id\":\"T1648\",\"d3f:definition\":\"Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.\",\"rdfs:label\":\"Serverless Execution\"},{\"@id\":\"d3f:T1649\",\"d3f:attack-id\":\"T1649\",\"d3f:definition\":\"Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\",\"rdfs:label\":\"Steal or Forge Authentication Certificates\"},{\"@id\":\"d3f:T1650\",\"d3f:attack-id\":\"T1650\",\"d3f:definition\":\"Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)\",\"rdfs:label\":\"Acquire Access\"},{\"@id\":\"d3f:T1651\",\"d3f:attack-id\":\"T1651\",\"d3f:definition\":\"Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)\",\"rdfs:label\":\"Cloud Administration Command\"},{\"@id\":\"d3f:T1652\",\"d3f:attack-id\":\"T1652\",\"d3f:definition\":\"Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).\",\"rdfs:label\":\"Device Driver Discovery\"},{\"@id\":\"d3f:T1653\",\"d3f:attack-id\":\"T1653\",\"d3f:definition\":\"Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)\",\"rdfs:label\":\"Power Settings\"},{\"@id\":\"d3f:T1654\",\"d3f:attack-id\":\"T1654\",\"d3f:definition\":\"Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\",\"rdfs:label\":\"Log Enumeration\"},{\"@id\":\"d3f:T1656\",\"d3f:attack-id\":\"T1656\",\"d3f:definition\":\"Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.\",\"rdfs:label\":\"Impersonation\"},{\"@id\":\"d3f:T1657\",\"d3f:attack-id\":\"T1657\",\"d3f:definition\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)\",\"rdfs:label\":\"Financial Theft\"},{\"@id\":\"d3f:T1659\",\"d3f:attack-id\":\"T1659\",\"d3f:definition\":\"Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)\",\"rdfs:label\":\"Content Injection\"},{\"@id\":\"d3f:T1665\",\"d3f:attack-id\":\"T1665\",\"d3f:definition\":\"Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\",\"rdfs:label\":\"Hide Infrastructure\"},{\"@id\":\"d3f:T1666\",\"d3f:attack-id\":\"T1666\",\"d3f:definition\":\"Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.\",\"rdfs:label\":\"Modify Cloud Resource Hierarchy\"}]}"}</script>
<script type="application/json" data-sveltekit-fetched data-url="/api/technique/all.json">{"status":200,"statusText":"","headers":{},"body":"{\"@context\":{\"rdfs\":\"http://www.w3.org/2000/01/rdf-schema#\",\"owl\":\"http://www.w3.org/2002/07/owl#\",\"d3f\":\"http://d3fend.mitre.org/ontologies/d3fend.owl#\",\"skos\":\"http://www.w3.org/2004/02/skos/core#\"},\"@graph\":[{\"@id\":\"d3f:AccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AMED\",\"d3f:synonym\":\"Access Control\",\"rdfs:label\":\"Access Mediation\"},{\"@id\":\"d3f:AccessModeling\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AM\",\"rdfs:label\":\"Access Modeling\"},{\"@id\":\"d3f:AccessPolicyAdministration\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-APA\",\"d3f:synonym\":\"Access Control Administration\",\"rdfs:label\":\"Access Policy Administration\"},{\"@id\":\"d3f:AccountLocking\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AL\",\"rdfs:label\":\"Account Locking\"},{\"@id\":\"d3f:ActiveCertificateAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ACA\",\"rdfs:label\":\"Active Certificate Analysis\"},{\"@id\":\"d3f:ActiveLogicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ALLM\",\"rdfs:label\":\"Active Logical Link Mapping\"},{\"@id\":\"d3f:ActivePhysicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-APLM\",\"d3f:synonym\":\"Active Physical Layer Mapping\",\"rdfs:label\":\"Active Physical Link Mapping\"},{\"@id\":\"d3f:AdministrativeNetworkActivityAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ANAA\",\"rdfs:label\":\"Administrative Network Activity Analysis\"},{\"@id\":\"d3f:AgentAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AA\",\"rdfs:label\":\"Agent Authentication\"},{\"@id\":\"d3f:Application-basedProcessIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ABPI\",\"d3f:synonym\":[\"Browser-based Process Isolation\",\"Remote Browser Isolation\",\"Sandbox\"],\"rdfs:label\":\"Application-based Process Isolation\"},{\"@id\":\"d3f:ApplicationConfigurationHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ACH\",\"rdfs:label\":\"Application Configuration Hardening\"},{\"@id\":\"d3f:ApplicationHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AH\",\"d3f:synonym\":\"Process Hardening\",\"rdfs:label\":\"Application Hardening\"},{\"@id\":\"d3f:AssetInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AI\",\"d3f:synonym\":[\"Asset Discovery\",\"Asset Inventorying\"],\"rdfs:label\":\"Asset Inventory\"},{\"@id\":\"d3f:AssetVulnerabilityEnumeration\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AVE\",\"rdfs:label\":\"Asset Vulnerability Enumeration\"},{\"@id\":\"d3f:AuthenticationCacheInvalidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ANCI\",\"rdfs:label\":\"Authentication Cache Invalidation\"},{\"@id\":\"d3f:AuthenticationEventThresholding\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ANET\",\"rdfs:label\":\"Authentication Event Thresholding\"},{\"@id\":\"d3f:AuthorizationEventThresholding\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-AZET\",\"rdfs:label\":\"Authorization Event Thresholding\"},{\"@id\":\"d3f:BiometricAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-BAN\",\"rdfs:label\":\"Biometric Authentication\"},{\"@id\":\"d3f:BootloaderAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-BA\",\"d3f:synonym\":\"Secure Boot\",\"rdfs:label\":\"Bootloader Authentication\"},{\"@id\":\"d3f:BroadcastDomainIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-BDI\",\"d3f:synonym\":\"Network Segmentation\",\"rdfs:label\":\"Broadcast Domain Isolation\"},{\"@id\":\"d3f:ByteSequenceEmulation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-BSE\",\"d3f:synonym\":\"Shellcode Transmission Detection\",\"rdfs:label\":\"Byte Sequence Emulation\"},{\"@id\":\"d3f:Certificate-basedAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CBAN\",\"rdfs:label\":\"Certificate-based Authentication\"},{\"@id\":\"d3f:CertificateAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CA\",\"rdfs:label\":\"Certificate Analysis\"},{\"@id\":\"d3f:CertificatePinning\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CP\",\"rdfs:label\":\"Certificate Pinning\"},{\"@id\":\"d3f:CertificateRotation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CERO\",\"rdfs:label\":\"Certificate Rotation\"},{\"@id\":\"d3f:Client-serverPayloadProfiling\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CSPP\",\"rdfs:label\":\"Client-server Payload Profiling\"},{\"@id\":\"d3f:ConfigurationInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CI\",\"rdfs:label\":\"Configuration Inventory\"},{\"@id\":\"d3f:ConnectedHoneynet\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CHN\",\"rdfs:label\":\"Connected Honeynet\"},{\"@id\":\"d3f:ConnectionAttemptAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CAA\",\"d3f:synonym\":\"Network Scan Detection\",\"rdfs:label\":\"Connection Attempt Analysis\"},{\"@id\":\"d3f:ContainerImageAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CIA\",\"d3f:synonym\":\"Container Image Scanning\",\"rdfs:label\":\"Container Image Analysis\"},{\"@id\":\"d3f:CredentialCompromiseScopeAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CCSA\",\"rdfs:label\":\"Credential Compromise Scope Analysis\"},{\"@id\":\"d3f:CredentialEviction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CE\",\"rdfs:label\":\"Credential Eviction\"},{\"@id\":\"d3f:CredentialHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CH\",\"rdfs:label\":\"Credential Hardening\"},{\"@id\":\"d3f:CredentialRevocation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CR\",\"rdfs:label\":\"Credential Revocation\"},{\"@id\":\"d3f:CredentialRotation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CRO\",\"rdfs:label\":\"Credential Rotation\"},{\"@id\":\"d3f:CredentialScrubbing\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CS\",\"rdfs:label\":\"Credential Scrubbing\"},{\"@id\":\"d3f:CredentialTransmissionScoping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-CTS\",\"d3f:synonym\":\"Phishing Resistant Authentication\",\"rdfs:label\":\"Credential Transmission Scoping\"},{\"@id\":\"d3f:DNSAllowlisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNSAL\",\"d3f:synonym\":\"DNS Whitelisting\",\"rdfs:label\":\"DNS Allowlisting\"},{\"@id\":\"d3f:DNSCacheEviction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNSCE\",\"d3f:synonym\":\"Flush DNS Cache\",\"rdfs:label\":\"DNS Cache Eviction\"},{\"@id\":\"d3f:DNSDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNSDL\",\"d3f:synonym\":\"DNS Blacklisting\",\"rdfs:label\":\"DNS Denylisting\"},{\"@id\":\"d3f:DNSTrafficAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNSTA\",\"d3f:synonym\":\"Domain Name Analysis\",\"rdfs:label\":\"DNS Traffic Analysis\"},{\"@id\":\"d3f:DataExchangeMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DEM\",\"d3f:synonym\":[\"Information Exchange Mapping\",\"Data Flow Mapping\"],\"rdfs:label\":\"Data Exchange Mapping\"},{\"@id\":\"d3f:DataInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DI\",\"d3f:synonym\":[\"Data Discovery\",\"Data Inventorying\"],\"rdfs:label\":\"Data Inventory\"},{\"@id\":\"d3f:DatabaseQueryStringAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DQSA\",\"rdfs:label\":\"Database Query String Analysis\"},{\"@id\":\"d3f:DeadCodeElimination\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DCE\",\"rdfs:label\":\"Dead Code Elimination\"},{\"@id\":\"d3f:DecoyEnvironment\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DE\",\"d3f:synonym\":\"Honeypot\",\"rdfs:label\":\"Decoy Environment\"},{\"@id\":\"d3f:DecoyFile\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DF\",\"rdfs:label\":\"Decoy File\"},{\"@id\":\"d3f:DecoyNetworkResource\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNR\",\"rdfs:label\":\"Decoy Network Resource\"},{\"@id\":\"d3f:DecoyObject\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DO\",\"d3f:synonym\":\"Lure\",\"rdfs:label\":\"Decoy Object\"},{\"@id\":\"d3f:DecoyPersona\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DP\",\"rdfs:label\":\"Decoy Persona\"},{\"@id\":\"d3f:DecoyPublicRelease\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DPR\",\"rdfs:label\":\"Decoy Public Release\"},{\"@id\":\"d3f:DecoySessionToken\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DST\",\"rdfs:label\":\"Decoy Session Token\"},{\"@id\":\"d3f:DecoyUserCredential\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DUC\",\"rdfs:label\":\"Decoy User Credential\"},{\"@id\":\"d3f:DirectPhysicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DPLM\",\"d3f:synonym\":\"Manual Physical Link Mapping\",\"rdfs:label\":\"Direct Physical Link Mapping\"},{\"@id\":\"d3f:DiskEncryption\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DENCR\",\"rdfs:label\":\"Disk Encryption\"},{\"@id\":\"d3f:DiskErasure\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DKE\",\"rdfs:label\":\"Disk Erasure\"},{\"@id\":\"d3f:DiskFormatting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DKF\",\"rdfs:label\":\"Disk Formatting\"},{\"@id\":\"d3f:DiskPartitioning\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DKP\",\"rdfs:label\":\"Disk Partitioning\"},{\"@id\":\"d3f:DomainAccountMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DAM\",\"rdfs:label\":\"Domain Account Monitoring\"},{\"@id\":\"d3f:DomainNameReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DNRA\",\"rdfs:label\":\"Domain Name Reputation Analysis\"},{\"@id\":\"d3f:DomainRegistrationTakedown\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DRT\",\"rdfs:label\":\"Domain Registration Takedown\"},{\"@id\":\"d3f:DomainTrustPolicy\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DTP\",\"rdfs:label\":\"Domain Trust Policy\"},{\"@id\":\"d3f:DriverLoadIntegrityChecking\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DLIC\",\"rdfs:label\":\"Driver Load Integrity Checking\"},{\"@id\":\"d3f:DynamicAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-DA\",\"d3f:synonym\":[\"Malware Detonation\",\"Malware Sandbox\"],\"rdfs:label\":\"Dynamic Analysis\"},{\"@id\":\"d3f:EmailFiltering\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EF\",\"rdfs:label\":\"Email Filtering\"},{\"@id\":\"d3f:EmailRemoval\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ER\",\"d3f:synonym\":\"Email Deletion\",\"rdfs:label\":\"Email Removal\"},{\"@id\":\"d3f:EmulatedFileAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EFA\",\"rdfs:label\":\"Emulated File Analysis\"},{\"@id\":\"d3f:EncryptedTunnels\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ET\",\"rdfs:label\":\"Encrypted Tunnels\"},{\"@id\":\"d3f:EndpointBasedWebServerAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EBWSAM\",\"rdfs:label\":\"Endpoint-based Web Server Access Mediation\"},{\"@id\":\"d3f:EndpointHealthBeacon\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EHB\",\"d3f:synonym\":\"Endpoint Health Telemetry\",\"rdfs:label\":\"Endpoint Health Beacon\"},{\"@id\":\"d3f:ExceptionHandlerPointerValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EHPV\",\"d3f:synonym\":\"Exception Handler Validation\",\"rdfs:label\":\"Exception Handler Pointer Validation\"},{\"@id\":\"d3f:ExecutableAllowlisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EAL\",\"d3f:synonym\":\"File Signature Authentication\",\"rdfs:label\":\"Executable Allowlisting\"},{\"@id\":\"d3f:ExecutableDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EDL\",\"d3f:synonym\":\"Executable Blacklisting\",\"rdfs:label\":\"Executable Denylisting\"},{\"@id\":\"d3f:ExecutionIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-EI\",\"rdfs:label\":\"Execution Isolation\"},{\"@id\":\"d3f:FileAccessPatternAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FAPA\",\"rdfs:label\":\"File Access Pattern Analysis\"},{\"@id\":\"d3f:FileAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FA\",\"rdfs:label\":\"File Analysis\"},{\"@id\":\"d3f:FileCarving\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FC\",\"rdfs:label\":\"File Carving\"},{\"@id\":\"d3f:FileContentAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FCOA\",\"rdfs:label\":\"File Content Analysis\"},{\"@id\":\"d3f:FileContentRules\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FCR\",\"d3f:synonym\":[\"File Content Signatures\",\"File Signatures\"],\"rdfs:label\":\"File Content Rules\"},{\"@id\":\"d3f:FileCreationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FCA\",\"rdfs:label\":\"File Creation Analysis\"},{\"@id\":\"d3f:FileEncryption\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FE\",\"rdfs:label\":\"File Encryption\"},{\"@id\":\"d3f:FileEviction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FEV\",\"rdfs:label\":\"File Eviction\"},{\"@id\":\"d3f:FileHashReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FHRA\",\"rdfs:label\":\"File Hash Reputation Analysis\"},{\"@id\":\"d3f:FileHashing\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FH\",\"rdfs:label\":\"File Hashing\"},{\"@id\":\"d3f:FileIntegrityMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FIM\",\"rdfs:label\":\"File Integrity Monitoring\"},{\"@id\":\"d3f:FirmwareBehaviorAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FBA\",\"d3f:synonym\":\"Firmware Timing Analysis\",\"rdfs:label\":\"Firmware Behavior Analysis\"},{\"@id\":\"d3f:FirmwareEmbeddedMonitoringCode\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FEMC\",\"rdfs:label\":\"Firmware Embedded Monitoring Code\"},{\"@id\":\"d3f:FirmwareVerification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FV\",\"rdfs:label\":\"Firmware Verification\"},{\"@id\":\"d3f:ForwardResolutionDomainDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FRDDL\",\"d3f:synonym\":\"Forward Resolution Domain Blacklisting\",\"rdfs:label\":\"Forward Resolution Domain Denylisting\"},{\"@id\":\"d3f:ForwardResolutionIPDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-FRIDL\",\"d3f:synonym\":\"Forward Resolution IP Blacklisting\",\"rdfs:label\":\"Forward Resolution IP Denylisting\"},{\"@id\":\"d3f:Hardware-basedProcessIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HBPI\",\"d3f:synonym\":\"Virtualization\",\"rdfs:label\":\"Hardware-based Process Isolation\"},{\"@id\":\"d3f:HardwareComponentInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HCI\",\"d3f:synonym\":[\"Hardware Component Discovery\",\"Hardware Component Inventorying\"],\"rdfs:label\":\"Hardware Component Inventory\"},{\"@id\":\"d3f:HierarchicalDomainDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HDDL\",\"d3f:synonym\":\"Hierarchical Domain Blacklisting\",\"rdfs:label\":\"Hierarchical Domain Denylisting\"},{\"@id\":\"d3f:HomoglyphDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HDL\",\"d3f:synonym\":\"Homoglyph Blacklisting\",\"rdfs:label\":\"Homoglyph Denylisting\"},{\"@id\":\"d3f:HomoglyphDetection\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HD\",\"rdfs:label\":\"Homoglyph Detection\"},{\"@id\":\"d3f:HostReboot\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HR\",\"rdfs:label\":\"Host Reboot\"},{\"@id\":\"d3f:HostShutdown\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-HS\",\"rdfs:label\":\"Host Shutdown\"},{\"@id\":\"d3f:IOPortRestriction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IOPR\",\"rdfs:label\":\"IO Port Restriction\"},{\"@id\":\"d3f:IPCTrafficAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IPCTA\",\"d3f:synonym\":\"IPC Analysis\",\"rdfs:label\":\"IPC Traffic Analysis\"},{\"@id\":\"d3f:IPReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IPRA\",\"rdfs:label\":\"IP Reputation Analysis\"},{\"@id\":\"d3f:IdentifierActivityAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IAA\",\"rdfs:label\":\"Identifier Activity Analysis\"},{\"@id\":\"d3f:IdentifierAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ID\",\"rdfs:label\":\"Identifier Analysis\"},{\"@id\":\"d3f:IdentifierReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IRA\",\"rdfs:label\":\"Identifier Reputation Analysis\"},{\"@id\":\"d3f:InboundSessionVolumeAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ISVA\",\"rdfs:label\":\"Inbound Session Volume Analysis\"},{\"@id\":\"d3f:InboundTrafficFiltering\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ITF\",\"rdfs:label\":\"Inbound Traffic Filtering\"},{\"@id\":\"d3f:IndirectBranchCallAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IBCA\",\"rdfs:label\":\"Indirect Branch Call Analysis\"},{\"@id\":\"d3f:InputDeviceAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IDA\",\"rdfs:label\":\"Input Device Analysis\"},{\"@id\":\"d3f:IntegerRangeValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IRV\",\"rdfs:label\":\"Integer Range Validation\"},{\"@id\":\"d3f:IntegratedHoneynet\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-IHN\",\"rdfs:label\":\"Integrated Honeynet\"},{\"@id\":\"d3f:JobFunctionAccessPatternAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-JFAPA\",\"rdfs:label\":\"Job Function Access Pattern Analysis\"},{\"@id\":\"d3f:Kernel-basedProcessIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-KBPI\",\"rdfs:label\":\"Kernel-based Process Isolation\"},{\"@id\":\"d3f:LANAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-LAMED\",\"rdfs:label\":\"LAN Access Mediation\"},{\"@id\":\"d3f:LocalAccountMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-LAM\",\"rdfs:label\":\"Local Account Monitoring\"},{\"@id\":\"d3f:LocalFileAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-LFAM\",\"d3f:synonym\":\"Local File Access Control\",\"rdfs:label\":\"Local File Access Mediation\"},{\"@id\":\"d3f:LocalFilePermissions\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-LFP\",\"rdfs:label\":\"Local File Permissions\"},{\"@id\":\"d3f:LogicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-LLM\",\"rdfs:label\":\"Logical Link Mapping\"},{\"@id\":\"d3f:MemoryBlockStartValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MBSV\",\"rdfs:label\":\"Memory Block Start Validation\"},{\"@id\":\"d3f:MemoryBoundaryTracking\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MBT\",\"rdfs:label\":\"Memory Boundary Tracking\"},{\"@id\":\"d3f:MessageAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MA\",\"d3f:synonym\":[\"Electronic Message Analysis\",\"Email Or Messaging Analysis\"],\"rdfs:label\":\"Message Analysis\"},{\"@id\":\"d3f:MessageAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MAN\",\"rdfs:label\":\"Message Authentication\"},{\"@id\":\"d3f:MessageEncryption\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MENCR\",\"rdfs:label\":\"Message Encryption\"},{\"@id\":\"d3f:MessageHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MH\",\"d3f:synonym\":\"Email Or Messaging Hardening\",\"rdfs:label\":\"Message Hardening\"},{\"@id\":\"d3f:Multi-factorAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-MFA\",\"rdfs:label\":\"Multi-factor Authentication\"},{\"@id\":\"d3f:NetworkAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NAM\",\"d3f:synonym\":\"Network Access Control\",\"rdfs:label\":\"Network Access Mediation\"},{\"@id\":\"d3f:NetworkIsolation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NI\",\"rdfs:label\":\"Network Isolation\"},{\"@id\":\"d3f:NetworkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NM\",\"rdfs:label\":\"Network Mapping\"},{\"@id\":\"d3f:NetworkNodeInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NNI\",\"d3f:synonym\":[\"System Discovery\",\"System Inventorying\"],\"rdfs:label\":\"Network Node Inventory\"},{\"@id\":\"d3f:NetworkResourceAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NRAM\",\"d3f:synonym\":\"Remote Access Control\",\"rdfs:label\":\"Network Resource Access Mediation\"},{\"@id\":\"d3f:NetworkTrafficAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NTA\",\"rdfs:label\":\"Network Traffic Analysis\"},{\"@id\":\"d3f:NetworkTrafficCommunityDeviation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NTCD\",\"rdfs:label\":\"Network Traffic Community Deviation\"},{\"@id\":\"d3f:NetworkTrafficFiltering\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NTF\",\"rdfs:label\":\"Network Traffic Filtering\"},{\"@id\":\"d3f:NetworkTrafficPolicyMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NTPM\",\"d3f:synonym\":[\"Firewall Mapping\",\"DLP Policy Mapping\",\"IPS Policy Mapping\",\"Web Security Gateway Policy Mapping\"],\"rdfs:label\":\"Network Traffic Policy Mapping\"},{\"@id\":\"d3f:NetworkTrafficSignatureAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NTSA\",\"rdfs:label\":\"Network Traffic Signature Analysis\"},{\"@id\":\"d3f:NetworkVulnerabilityAssessment\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NVA\",\"rdfs:label\":\"Network Vulnerability Assessment\"},{\"@id\":\"d3f:NullPointerChecking\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-NPC\",\"d3f:synonym\":\"Nil Pointer Checking\",\"rdfs:label\":\"Null Pointer Checking\"},{\"@id\":\"d3f:ObjectEviction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OE\",\"rdfs:label\":\"Object Eviction\"},{\"@id\":\"d3f:One-timePassword\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OTP\",\"d3f:synonym\":\"OTP\",\"rdfs:label\":\"One-time Password\"},{\"@id\":\"d3f:OperatingSystemMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OSM\",\"rdfs:label\":\"Operating System Monitoring\"},{\"@id\":\"d3f:OperationalActivityMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OAM\",\"d3f:synonym\":\"Mission Mapping\",\"rdfs:label\":\"Operational Activity Mapping\"},{\"@id\":\"d3f:OperationalDependencyMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ODM\",\"rdfs:label\":\"Operational Dependency Mapping\"},{\"@id\":\"d3f:OperationalRiskAssessment\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ORA\",\"d3f:synonym\":\"Mission Risk Assessment\",\"rdfs:label\":\"Operational Risk Assessment\"},{\"@id\":\"d3f:OrganizationMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OM\",\"rdfs:label\":\"Organization Mapping\"},{\"@id\":\"d3f:OutboundTrafficFiltering\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-OTF\",\"rdfs:label\":\"Outbound Traffic Filtering\"},{\"@id\":\"d3f:PassiveCertificateAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PCA\",\"rdfs:label\":\"Passive Certificate Analysis\"},{\"@id\":\"d3f:PassiveLogicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PLLM\",\"d3f:synonym\":\"Passive Logical Layer Mapping\",\"rdfs:label\":\"Passive Logical Link Mapping\"},{\"@id\":\"d3f:PasswordAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PWA\",\"rdfs:label\":\"Password Authentication\"},{\"@id\":\"d3f:PasswordRotation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PR\",\"rdfs:label\":\"Password Rotation\"},{\"@id\":\"d3f:PerHostDownload-UploadRatioAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PHDURA\",\"rdfs:label\":\"Per Host Download-Upload Ratio Analysis\"},{\"@id\":\"d3f:PeripheralFirmwareVerification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PFV\",\"rdfs:label\":\"Peripheral Firmware Verification\"},{\"@id\":\"d3f:PhysicalAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PAM\",\"d3f:synonym\":\"Physical Access Control\",\"rdfs:label\":\"Physical Access Mediation\"},{\"@id\":\"d3f:PhysicalLinkMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PLM\",\"d3f:synonym\":\"Layer 1 Mapping\",\"rdfs:label\":\"Physical Link Mapping\"},{\"@id\":\"d3f:PlatformHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PH\",\"d3f:synonym\":[\"Endpoint Hardening\",\"System Hardening\"],\"rdfs:label\":\"Platform Hardening\"},{\"@id\":\"d3f:PlatformMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PM\",\"rdfs:label\":\"Platform Monitoring\"},{\"@id\":\"d3f:PointerAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PAN\",\"rdfs:label\":\"Pointer Authentication\"},{\"@id\":\"d3f:PointerValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PV\",\"rdfs:label\":\"Pointer Validation\"},{\"@id\":\"d3f:ProcessAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PA\",\"rdfs:label\":\"Process Analysis\"},{\"@id\":\"d3f:ProcessCodeSegmentVerification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PCSV\",\"rdfs:label\":\"Process Code Segment Verification\"},{\"@id\":\"d3f:ProcessEviction\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PE\",\"rdfs:label\":\"Process Eviction\"},{\"@id\":\"d3f:ProcessLineageAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PLA\",\"d3f:synonym\":\"Process Tree Analysis\",\"rdfs:label\":\"Process Lineage Analysis\"},{\"@id\":\"d3f:ProcessSegmentExecutionPrevention\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PSEP\",\"d3f:synonym\":[\"Execute Disable\",\"No Execute\"],\"rdfs:label\":\"Process Segment Execution Prevention\"},{\"@id\":\"d3f:ProcessSelf-ModificationDetection\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PSMD\",\"rdfs:label\":\"Process Self-Modification Detection\"},{\"@id\":\"d3f:ProcessSpawnAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PSA\",\"rdfs:label\":\"Process Spawn Analysis\"},{\"@id\":\"d3f:ProcessSuspension\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PS\",\"rdfs:label\":\"Process Suspension\"},{\"@id\":\"d3f:ProcessTermination\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PT\",\"rdfs:label\":\"Process Termination\"},{\"@id\":\"d3f:ProtocolMetadataAnomalyDetection\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PMAD\",\"rdfs:label\":\"Protocol Metadata Anomaly Detection\"},{\"@id\":\"d3f:ProxyBasedWebServerAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-PBWSAM\",\"rdfs:label\":\"Proxy-based Web Server Access Mediation\"},{\"@id\":\"d3f:RFShielding\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RFS\",\"rdfs:label\":\"RF Shielding\"},{\"@id\":\"d3f:RPCTrafficAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RTA\",\"d3f:synonym\":\"RPC Protocol Analysis\",\"rdfs:label\":\"RPC Traffic Analysis\"},{\"@id\":\"d3f:ReferenceNullification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RN\",\"rdfs:label\":\"Reference Nullification\"},{\"@id\":\"d3f:RegistryKeyDeletion\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RKD\",\"rdfs:label\":\"Registry Key Deletion\"},{\"@id\":\"d3f:ReissueCredential\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RIC\",\"rdfs:label\":\"Reissue Credential\"},{\"@id\":\"d3f:RelayPatternAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RPA\",\"d3f:synonym\":\"Relay Network Detection\",\"rdfs:label\":\"Relay Pattern Analysis\"},{\"@id\":\"d3f:RemoteFileAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RFAM\",\"d3f:synonym\":\"File Share Access Mediation\",\"rdfs:label\":\"Remote File Access Mediation\"},{\"@id\":\"d3f:RemoteTerminalSessionDetection\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RTSD\",\"rdfs:label\":\"Remote Terminal Session Detection\"},{\"@id\":\"d3f:ResourceAccessPatternAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RAPA\",\"rdfs:label\":\"Resource Access Pattern Analysis\"},{\"@id\":\"d3f:RestoreAccess\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RA\",\"rdfs:label\":\"Restore Access\"},{\"@id\":\"d3f:RestoreConfiguration\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RC\",\"rdfs:label\":\"Restore Configuration\"},{\"@id\":\"d3f:RestoreDatabase\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RD\",\"rdfs:label\":\"Restore Database\"},{\"@id\":\"d3f:RestoreDiskImage\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RDI\",\"rdfs:label\":\"Restore Disk Image\"},{\"@id\":\"d3f:RestoreEmail\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RE\",\"rdfs:label\":\"Restore Email\"},{\"@id\":\"d3f:RestoreFile\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RF\",\"rdfs:label\":\"Restore File\"},{\"@id\":\"d3f:RestoreNetworkAccess\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RNA\",\"rdfs:label\":\"Restore Network Access\"},{\"@id\":\"d3f:RestoreObject\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RO\",\"rdfs:label\":\"Restore Object\"},{\"@id\":\"d3f:RestoreSoftware\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RS\",\"rdfs:label\":\"Restore Software\"},{\"@id\":\"d3f:RestoreUserAccountAccess\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RUAA\",\"rdfs:label\":\"Restore User Account Access\"},{\"@id\":\"d3f:ReverseResolutionIPDenylisting\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RRID\",\"d3f:synonym\":\"Reverse Resolution IP Blacklisting\",\"rdfs:label\":\"Reverse Resolution IP Denylisting\"},{\"@id\":\"d3f:RoutingAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-RAM\",\"rdfs:label\":\"Routing Access Mediation\"},{\"@id\":\"d3f:ScheduledJobAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SJA\",\"d3f:synonym\":\"Scheduled Job Execution\",\"rdfs:label\":\"Scheduled Job Analysis\"},{\"@id\":\"d3f:ScriptExecutionAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SEA\",\"rdfs:label\":\"Script Execution Analysis\"},{\"@id\":\"d3f:SegmentAddressOffsetRandomization\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SAOR\",\"d3f:synonym\":[\"Address Space Layout Randomization\",\"ASLR\"],\"rdfs:label\":\"Segment Address Offset Randomization\"},{\"@id\":\"d3f:SenderMTAReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SMRA\",\"rdfs:label\":\"Sender MTA Reputation Analysis\"},{\"@id\":\"d3f:SenderReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SRA\",\"rdfs:label\":\"Sender Reputation Analysis\"},{\"@id\":\"d3f:ServiceBinaryVerification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SBV\",\"rdfs:label\":\"Service Binary Verification\"},{\"@id\":\"d3f:ServiceDependencyMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SVCDM\",\"d3f:synonym\":\"Distributed Tracing\",\"rdfs:label\":\"Service Dependency Mapping\"},{\"@id\":\"d3f:SessionDurationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SDA\",\"rdfs:label\":\"Session Duration Analysis\"},{\"@id\":\"d3f:SessionTermination\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ST\",\"rdfs:label\":\"Session Termination\"},{\"@id\":\"d3f:ShadowStackComparisons\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SSC\",\"rdfs:label\":\"Shadow Stack Comparisons\"},{\"@id\":\"d3f:SoftwareInventory\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SWI\",\"d3f:synonym\":[\"Software Discovery\",\"Software Inventorying\"],\"rdfs:label\":\"Software Inventory\"},{\"@id\":\"d3f:SoftwareUpdate\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SU\",\"rdfs:label\":\"Software Update\"},{\"@id\":\"d3f:SourceCodeHardening\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SCH\",\"rdfs:label\":\"Source Code Hardening\"},{\"@id\":\"d3f:StackFrameCanaryValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SFCV\",\"rdfs:label\":\"Stack Frame Canary Validation\"},{\"@id\":\"d3f:StandaloneHoneynet\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SHN\",\"rdfs:label\":\"Standalone Honeynet\"},{\"@id\":\"d3f:StrongPasswordPolicy\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SPP\",\"rdfs:label\":\"Strong Password Policy\"},{\"@id\":\"d3f:SystemCallAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SCA\",\"rdfs:label\":\"System Call Analysis\"},{\"@id\":\"d3f:SystemCallFiltering\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SCF\",\"d3f:synonym\":\"System Call Control\",\"rdfs:label\":\"System Call Filtering\"},{\"@id\":\"d3f:SystemConfigurationPermissions\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SCP\",\"rdfs:label\":\"System Configuration Permissions\"},{\"@id\":\"d3f:SystemDaemonMonitoring\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SDM\",\"rdfs:label\":\"System Daemon Monitoring\"},{\"@id\":\"d3f:SystemDependencyMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SYSDM\",\"rdfs:label\":\"System Dependency Mapping\"},{\"@id\":\"d3f:SystemFileAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SFA\",\"rdfs:label\":\"System File Analysis\"},{\"@id\":\"d3f:SystemFirmwareVerification\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SFV\",\"rdfs:label\":\"System Firmware Verification\"},{\"@id\":\"d3f:SystemInitConfigAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SICA\",\"d3f:synonym\":[\"Autorun Analysis\",\"Startup Analysis\"],\"rdfs:label\":\"System Init Config Analysis\"},{\"@id\":\"d3f:SystemMapping\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SYSM\",\"rdfs:label\":\"System Mapping\"},{\"@id\":\"d3f:SystemVulnerabilityAssessment\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-SYSVA\",\"rdfs:label\":\"System Vulnerability Assessment\"},{\"@id\":\"d3f:TPMBootIntegrity\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-TBI\",\"d3f:synonym\":[\"Static Root of Trust Measurement\",\"STRM\"],\"rdfs:label\":\"TPM Boot Integrity\"},{\"@id\":\"d3f:Token-basedAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-TBA\",\"rdfs:label\":\"Token-based Authentication\"},{\"@id\":\"d3f:TokenBinding\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-TB\",\"rdfs:label\":\"Token Binding\"},{\"@id\":\"d3f:TransferAgentAuthentication\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-TAAN\",\"rdfs:label\":\"Transfer Agent Authentication\"},{\"@id\":\"d3f:TrustedLibrary\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-TL\",\"rdfs:label\":\"Trusted Library\"},{\"@id\":\"d3f:URLAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-UA\",\"rdfs:label\":\"URL Analysis\"},{\"@id\":\"d3f:URLReputationAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-URA\",\"rdfs:label\":\"URL Reputation Analysis\"},{\"@id\":\"d3f:UnlockAccount\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-ULA\",\"rdfs:label\":\"Unlock Account\"},{\"@id\":\"d3f:UserAccountPermissions\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-UAP\",\"rdfs:label\":\"User Account Permissions\"},{\"@id\":\"d3f:UserBehaviorAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-UBA\",\"d3f:synonym\":[\"Credential Monitoring\",\"UBA\"],\"rdfs:label\":\"User Behavior Analysis\"},{\"@id\":\"d3f:UserDataTransferAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-UDTA\",\"rdfs:label\":\"User Data Transfer Analysis\"},{\"@id\":\"d3f:UserGeolocationLogonPatternAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-UGLPA\",\"rdfs:label\":\"User Geolocation Logon Pattern Analysis\"},{\"@id\":\"d3f:UserSessionInitConfigAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-USICA\",\"d3f:synonym\":\"User Startup Config Analysis\",\"rdfs:label\":\"User Session Init Config Analysis\"},{\"@id\":\"d3f:VariableInitialization\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-VI\",\"rdfs:label\":\"Variable Initialization\"},{\"@id\":\"d3f:VariableTypeValidation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-VTV\",\"rdfs:label\":\"Variable Type Validation\"},{\"@id\":\"d3f:WebSessionAccessMediation\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-WSAM\",\"rdfs:label\":\"Web Session Access Mediation\"},{\"@id\":\"d3f:WebSessionActivityAnalysis\",\"@type\":\"owl:Class\",\"d3f:d3fend-id\":\"D3-WSAA\",\"rdfs:label\":\"Web Session Activity Analysis\"}]}"}</script>
<script type="application/json" data-sveltekit-fetched data-url="/api/dao/artifacts.json">{"status":200,"statusText":"","headers":{},"body":"{\"@context\":{\"rdfs\":\"http://www.w3.org/2000/01/rdf-schema#\",\"owl\":\"http://www.w3.org/2002/07/owl#\",\"d3f\":\"http://d3fend.mitre.org/ontologies/d3fend.owl#\",\"skos\":\"http://www.w3.org/2004/02/skos/core#\"},\"@graph\":[{\"@id\":\"d3f:AccessControlConfiguration\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AccessControlGroup\"},{\"@id\":\"d3f:AccessControlList\"},{\"@id\":\"d3f:GroupPolicy\"}],\"rdfs:label\":[\"Access Control Configuration\"]},{\"@id\":\"d3f:AccessControlGroup\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserGroup\"},{\"@id\":\"d3f:HostGroup\"}],\"rdfs:label\":[\"Access Control Group\"]},{\"@id\":\"d3f:AccessControlList\",\"rdfs:label\":[\"Access Control List\"]},{\"@id\":\"d3f:AccessMediator\",\"rdfs:label\":[\"Access Mediator\"]},{\"@id\":\"d3f:AccessProcess\",\"rdfs:label\":[\"Access Process\"]},{\"@id\":\"d3f:AccessToken\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KerberosTicket\"},{\"@id\":\"d3f:SessionToken\"},{\"@id\":\"d3f:TicketGrantingTicket\"}],\"rdfs:label\":[\"Access Token\"],\"skos:altLabel\":[\"Ticket\",\"Token\"]},{\"@id\":\"d3f:ActivityDependency\",\"rdfs:label\":[\"Activity Dependency\"]},{\"@id\":\"d3f:Actuator\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTActuator\"}],\"rdfs:label\":[\"Actuator\"]},{\"@id\":\"d3f:AddressSpace\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MemoryAddressSpace\"}],\"rdfs:label\":[\"Address Space\"]},{\"@id\":\"d3f:AdministrativeNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:IntranetAdministrativeNetworkTraffic\"}],\"rdfs:label\":[\"Administrative Network Traffic\"]},{\"@id\":\"d3f:Alias\",\"rdfs:label\":[\"Alias\"]},{\"@id\":\"d3f:AllocateMemory\",\"rdfs:label\":[\"Allocate Memory\"]},{\"@id\":\"d3f:AnonymousPipe\",\"rdfs:label\":[\"Anonymous Pipe\"]},{\"@id\":\"d3f:Application\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PasswordManager\"},{\"@id\":\"d3f:ServiceApplication\"},{\"@id\":\"d3f:UserApplication\"},{\"@id\":\"d3f:ClientApplication\"}],\"rdfs:label\":[\"Application\"]},{\"@id\":\"d3f:ApplicationConfiguration\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationConfigurationDatabaseRecord\"},{\"@id\":\"d3f:ApplicationProcessConfiguration\"},{\"@id\":\"d3f:ApplicationRule\"},{\"@id\":\"d3f:ProcessEnvironmentVariable\"}],\"rdfs:label\":[\"Application Configuration\"]},{\"@id\":\"d3f:ApplicationConfigurationDatabase\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ShimDatabase\"}],\"rdfs:label\":[\"Application Configuration Database\"]},{\"@id\":\"d3f:ApplicationConfigurationDatabaseRecord\",\"rdfs:label\":[\"Application Configuration Database Record\"]},{\"@id\":\"d3f:ApplicationConfigurationFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CompilerConfigurationFile\"}],\"rdfs:label\":[\"Application Configuration File\"]},{\"@id\":\"d3f:ApplicationInstaller\",\"rdfs:label\":[\"Application Installer\"]},{\"@id\":\"d3f:ApplicationInventorySensor\",\"rdfs:label\":[\"Application Inventory Sensor\"]},{\"@id\":\"d3f:ApplicationLayerFirewall\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebApplicationFirewall\"}],\"rdfs:label\":[\"Application Layer Firewall\"],\"skos:altLabel\":[\"Application Firewall\"]},{\"@id\":\"d3f:ApplicationLayerLink\",\"rdfs:label\":[\"Application Layer Link\"]},{\"@id\":\"d3f:ApplicationProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ServiceApplicationProcess\"},{\"@id\":\"d3f:ContainerProcess\"},{\"@id\":\"d3f:ScriptApplicationProcess\"}],\"rdfs:label\":[\"Application Process\"]},{\"@id\":\"d3f:ApplicationProcessConfiguration\",\"rdfs:label\":[\"Application Process Configuration\"]},{\"@id\":\"d3f:ApplicationRule\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:EmailRule\"}],\"rdfs:label\":[\"Application Rule\"]},{\"@id\":\"d3f:ApplicationShim\",\"rdfs:label\":[\"Application Shim\"]},{\"@id\":\"d3f:ArchiveFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:JavaArchive\"},{\"@id\":\"d3f:CustomArchiveFile\"}],\"rdfs:label\":[\"Archive File\"]},{\"@id\":\"d3f:ArtifactServer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DataArtifactServer\"},{\"@id\":\"d3f:SoftwareArtifactServer\"}],\"rdfs:label\":[\"Artifact Server\"]},{\"@id\":\"d3f:AssetInventoryAgent\",\"rdfs:label\":[\"Asset Inventory Agent\"]},{\"@id\":\"d3f:AsymmetricKey\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PrivateKey\"},{\"@id\":\"d3f:PublicKey\"}],\"rdfs:label\":[\"Asymmetric Key\"]},{\"@id\":\"d3f:AudioInputDevice\",\"rdfs:label\":[\"Audio Input Device\"]},{\"@id\":\"d3f:AuthenticateUser\",\"rdfs:label\":[\"Authenticate User\"]},{\"@id\":\"d3f:AuthenticationFunction\",\"rdfs:label\":[\"Authentication Function\"]},{\"@id\":\"d3f:AuthenticationLog\",\"rdfs:label\":[\"Authentication Log\"]},{\"@id\":\"d3f:AuthenticationServer\",\"rdfs:label\":[\"Authentication Server\"]},{\"@id\":\"d3f:AuthenticationService\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LocalAuthenticationService\"},{\"@id\":\"d3f:RemoteAuthenticationService\"}],\"rdfs:label\":[\"Authentication Service\"]},{\"@id\":\"d3f:AuthorizationLog\",\"rdfs:label\":[\"Authorization Log\"]},{\"@id\":\"d3f:AuthorizationService\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LocalAuthorizationService\"},{\"@id\":\"d3f:RemoteAuthorizationService\"}],\"rdfs:label\":[\"Authorization Service\"]},{\"@id\":\"d3f:BarcodeScannerInputDevice\",\"rdfs:label\":[\"Barcode Scanner Input Device\"],\"skos:altLabel\":[\"Barcode Reader\"]},{\"@id\":\"d3f:BinaryLargeObject\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:JavaScriptBlob\"}],\"rdfs:label\":[\"Binary Large Object\"],\"skos:altLabel\":[\"Blob\",\"BLOB\"]},{\"@id\":\"d3f:BinarySegment\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ImageSegment\"},{\"@id\":\"d3f:ProcessSegment\"}],\"rdfs:label\":[\"Binary Segment\"]},{\"@id\":\"d3f:BlockDevice\",\"rdfs:label\":[\"Block Device\"],\"skos:altLabel\":[\"Block Special File\"]},{\"@id\":\"d3f:BootLoader\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Second-stageBootLoader\"},{\"@id\":\"d3f:First-stageBootLoader\"}],\"rdfs:label\":[\"Boot Loader\"],\"skos:altLabel\":[\"Bootloader\"]},{\"@id\":\"d3f:BootRecord\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:VolumeBootRecord\"},{\"@id\":\"d3f:BootSector\"}],\"rdfs:label\":[\"Boot Record\"]},{\"@id\":\"d3f:BootSector\",\"rdfs:label\":[\"Boot Sector\"]},{\"@id\":\"d3f:Browser\",\"rdfs:label\":[\"Browser\"]},{\"@id\":\"d3f:BrowserExtension\",\"rdfs:label\":[\"Browser Extension\"]},{\"@id\":\"d3f:BuildTool\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Compiler\"},{\"@id\":\"d3f:SoftwarePackagingTool\"}],\"rdfs:label\":[\"Build Tool\"],\"skos:altLabel\":[\"Build Automation Tool\"]},{\"@id\":\"d3f:BusinessCommunicationPlatformClient\",\"rdfs:label\":[\"Business Communication Platform Client\"]},{\"@id\":\"d3f:CACertificateFile\",\"rdfs:label\":[\"CA Certificate File\"]},{\"@id\":\"d3f:CacheMemory\",\"rdfs:label\":[\"Processor Cache Memory\"]},{\"@id\":\"d3f:CallStack\",\"rdfs:label\":[\"Call Stack\"]},{\"@id\":\"d3f:CentralProcessingUnit\",\"rdfs:label\":[\"Central Processing Unit\"]},{\"@id\":\"d3f:Certificate\",\"rdfs:label\":[\"Certificate\"],\"skos:altLabel\":[\"Public Key Certificate\"]},{\"@id\":\"d3f:CertificateFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CACertificateFile\"}],\"rdfs:label\":[\"Certificate File\"]},{\"@id\":\"d3f:CertificateTrustStore\",\"rdfs:label\":[\"Certificate Trust Store\"]},{\"@id\":\"d3f:ChatroomClient\",\"rdfs:label\":[\"Chatroom Client\"],\"skos:altLabel\":[\"Chat Room Client\"]},{\"@id\":\"d3f:ChildProcess\",\"rdfs:label\":[\"Child Process\"]},{\"@id\":\"d3f:ClientApplication\",\"rdfs:label\":[\"Client Application\"]},{\"@id\":\"d3f:ClientComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:EmbeddedComputer\"},{\"@id\":\"d3f:PersonalComputer\"},{\"@id\":\"d3f:SharedComputer\"}],\"rdfs:label\":[\"Client Computer\"]},{\"@id\":\"d3f:Clipboard\",\"rdfs:label\":[\"Clipboard\"]},{\"@id\":\"d3f:CloudConfiguration\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CloudInstanceMetadata\"}],\"rdfs:label\":[\"Cloud Configuration\"],\"skos:altLabel\":[\"Cloud Configuration Information\"]},{\"@id\":\"d3f:CloudInstanceMetadata\",\"rdfs:label\":[\"Cloud Instance Metadata\"]},{\"@id\":\"d3f:CloudServiceSensor\",\"rdfs:label\":[\"Cloud Service Sensor\"]},{\"@id\":\"d3f:CloudStorage\",\"rdfs:label\":[\"Cloud Storage\"]},{\"@id\":\"d3f:CloudUserAccount\",\"rdfs:label\":[\"Cloud User Account\"]},{\"@id\":\"d3f:CodeAnalyzer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DynamicAnalysisTool\"},{\"@id\":\"d3f:StaticAnalysisTool\"}],\"rdfs:label\":[\"Code Analyzer\"],\"skos:altLabel\":[\"Program Analysis Tool\"]},{\"@id\":\"d3f:CodeRepository\",\"rdfs:label\":[\"Code Repository\"],\"skos:altLabel\":[\"Repository\",\"Version Control Repository\"]},{\"@id\":\"d3f:CollaborativeSoftware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:BusinessCommunicationPlatformClient\"},{\"@id\":\"d3f:ChatroomClient\"},{\"@id\":\"d3f:InstantMessagingClient\"}],\"rdfs:label\":[\"Collaborative Software\"]},{\"@id\":\"d3f:CollectorAgent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AssetInventoryAgent\"}],\"rdfs:label\":[\"Network Agent\"]},{\"@id\":\"d3f:Command\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DatabaseQuery\"},{\"@id\":\"d3f:RemoteCommand\"}],\"rdfs:label\":[\"Command\"]},{\"@id\":\"d3f:CommandHistoryLog\",\"rdfs:label\":[\"Command History Log\"]},{\"@id\":\"d3f:CommandHistoryLogFile\",\"rdfs:label\":[\"Command History Log File\"]},{\"@id\":\"d3f:CommandLineInterface\",\"rdfs:label\":[\"Command Line Interface\"],\"skos:altLabel\":[\"CLI\",\"Command-line Interface\",\"CUI\"]},{\"@id\":\"d3f:Compiler\",\"rdfs:label\":[\"Compiler\"]},{\"@id\":\"d3f:CompilerConfigurationFile\",\"rdfs:label\":[\"Compiler Configuration File\"]},{\"@id\":\"d3f:ComputerNetworkNode\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Firewall\"},{\"@id\":\"d3f:Host\"},{\"@id\":\"d3f:Modem\"},{\"@id\":\"d3f:ProxyServer\"},{\"@id\":\"d3f:Router\"},{\"@id\":\"d3f:Switch\"},{\"@id\":\"d3f:WirelessAccessPoint\"}],\"rdfs:label\":[\"Computer Network Node\"]},{\"@id\":\"d3f:ComputerPlatform\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ComputerNetworkNode\"}],\"rdfs:label\":[\"Computer Platform\"],\"skos:altLabel\":[\"Computer Platform\"]},{\"@id\":\"d3f:ComputingImage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:StorageImage\"},{\"@id\":\"d3f:ContainerImage\"},{\"@id\":\"d3f:ProcessImage\"}],\"rdfs:label\":[\"Computing Image\"]},{\"@id\":\"d3f:ComputingServer\",\"rdfs:label\":[\"Computing Server\"]},{\"@id\":\"d3f:ComputingSnapshot\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:StorageSnapshot\"}],\"rdfs:label\":[\"Computing Snapshot\"],\"skos:altLabel\":[\"Snapshot\"]},{\"@id\":\"d3f:ConfigurationDatabase\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ConfigurationManagementDatabase\"},{\"@id\":\"d3f:ApplicationConfigurationDatabase\"}],\"rdfs:label\":[\"Configuration Database\"]},{\"@id\":\"d3f:ConfigurationDatabaseRecord\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationConfigurationDatabaseRecord\"},{\"@id\":\"d3f:SystemConfigurationDatabaseRecord\"}],\"rdfs:label\":[\"Configuration Database Record\"]},{\"@id\":\"d3f:ConfigurationFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationConfigurationFile\"},{\"@id\":\"d3f:OperatingSystemConfigurationFile\"},{\"@id\":\"d3f:PropertyListFile\"},{\"@id\":\"d3f:UserInitConfigurationFile\"}],\"rdfs:label\":[\"Configuration File\"],\"skos:altLabel\":[\"Settings File\"]},{\"@id\":\"d3f:ConfigurationManagementDatabase\",\"rdfs:label\":[\"Configuration Management Database\"]},{\"@id\":\"d3f:ConfigurationResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AccessControlConfiguration\"},{\"@id\":\"d3f:ApplicationConfiguration\"},{\"@id\":\"d3f:CloudConfiguration\"},{\"@id\":\"d3f:OperatingSystemConfiguration\"},{\"@id\":\"d3f:ConfigurationDatabase\"},{\"@id\":\"d3f:ConfigurationDatabaseRecord\"}],\"rdfs:label\":[\"Configuration Resource\"]},{\"@id\":\"d3f:ConnectSocket\",\"rdfs:label\":[\"Connect Socket\"]},{\"@id\":\"d3f:ConsoleOutputFunction\",\"rdfs:label\":[\"Console Output Function\"]},{\"@id\":\"d3f:ContainerBuildTool\",\"rdfs:label\":[\"Container Build Tool\"]},{\"@id\":\"d3f:ContainerImage\",\"rdfs:label\":[\"Container Image\"]},{\"@id\":\"d3f:ContainerOrchestrationSoftware\",\"rdfs:label\":[\"Container Orchestration Software\"]},{\"@id\":\"d3f:ContainerProcess\",\"rdfs:label\":[\"Container Process\"]},{\"@id\":\"d3f:ContainerRuntime\",\"rdfs:label\":[\"Container Runtime\"]},{\"@id\":\"d3f:CopyMemoryFunction\",\"rdfs:label\":[\"Copy Memory Function\"]},{\"@id\":\"d3f:CopyToken\",\"rdfs:label\":[\"Copy Token\"]},{\"@id\":\"d3f:CreateFile\",\"rdfs:label\":[\"Create File\"]},{\"@id\":\"d3f:CreateProcess\",\"rdfs:label\":[\"Create Process\"],\"skos:altLabel\":[\"Process Spawn\",\"Execute Process\",\"Spawn Process\"]},{\"@id\":\"d3f:CreateSocket\",\"rdfs:label\":[\"Create Socket\"]},{\"@id\":\"d3f:CreateThread\",\"rdfs:label\":[\"Create Thread\"]},{\"@id\":\"d3f:Credential\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebIdentityToken\"},{\"@id\":\"d3f:AccessToken\"},{\"@id\":\"d3f:EncryptedCredential\"},{\"@id\":\"d3f:Password\"},{\"@id\":\"d3f:SessionCookie\"}],\"rdfs:label\":[\"Credential\"]},{\"@id\":\"d3f:CredentialManagementSystem\",\"rdfs:label\":[\"Credential Management System\"]},{\"@id\":\"d3f:CryptographicKey\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AsymmetricKey\"},{\"@id\":\"d3f:SymmetricKey\"}],\"rdfs:label\":[\"Cryptographic Key\"]},{\"@id\":\"d3f:CustomArchiveFile\",\"rdfs:label\":[\"Custom Archive File\"]},{\"@id\":\"d3f:CyberSensor\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkScanner\"},{\"@id\":\"d3f:CloudServiceSensor\"},{\"@id\":\"d3f:EndpointSensor\"},{\"@id\":\"d3f:NetworkSensor\"}],\"rdfs:label\":[\"Cyber Sensor\"]},{\"@id\":\"d3f:DHCPNetworkTraffic\",\"rdfs:label\":[\"DHCP Network Traffic\"]},{\"@id\":\"d3f:DHCPServer\",\"rdfs:label\":[\"DHCP Server\"]},{\"@id\":\"d3f:DNSLookup\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:InternetDNSLookup\"},{\"@id\":\"d3f:IntranetDNSLookup\"}],\"rdfs:label\":[\"DNS Lookup\"]},{\"@id\":\"d3f:DNSNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetDNSLookupTraffic\"}],\"rdfs:label\":[\"DNS Network Traffic\"]},{\"@id\":\"d3f:DNSRecord\",\"rdfs:label\":[\"DNS Record\"]},{\"@id\":\"d3f:DNSServer\",\"rdfs:label\":[\"DNS Server\"]},{\"@id\":\"d3f:DataArtifactServer\",\"rdfs:label\":[\"Data Artifact Server\"]},{\"@id\":\"d3f:DataDependency\",\"rdfs:label\":[\"Data Dependency\"]},{\"@id\":\"d3f:DataLinkLink\",\"rdfs:label\":[\"Data Link Link\"]},{\"@id\":\"d3f:Database\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CodeRepository\"},{\"@id\":\"d3f:PasswordDatabase\"},{\"@id\":\"d3f:SystemConfigurationDatabase\"}],\"rdfs:label\":[\"Database\"]},{\"@id\":\"d3f:DatabaseFile\",\"rdfs:label\":[\"Database File\"]},{\"@id\":\"d3f:DatabaseQuery\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RemoteDatabaseQuery\"}],\"rdfs:label\":[\"Database Query\"]},{\"@id\":\"d3f:DatabaseServer\",\"rdfs:label\":[\"Database Server\"],\"skos:altLabel\":[\"Network Database Resource\"]},{\"@id\":\"d3f:DecoyArtifact\",\"rdfs:label\":[\"Decoy Artifact\"],\"skos:altLabel\":[\"Decoy\",\"Decoy Object\",\"Lure\",\"Trap\"]},{\"@id\":\"d3f:DefaultUserAccount\",\"rdfs:label\":[\"Default User Account\"]},{\"@id\":\"d3f:DeleteFile\",\"rdfs:label\":[\"Delete File\"]},{\"@id\":\"d3f:Dependency\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ActivityDependency\"},{\"@id\":\"d3f:DataDependency\"},{\"@id\":\"d3f:ServiceDependency\"},{\"@id\":\"d3f:SystemDependency\"}],\"rdfs:label\":[\"Dependency\"]},{\"@id\":\"d3f:DeserializationFunction\",\"rdfs:label\":[\"Deserialization Function\"]},{\"@id\":\"d3f:DesktopComputer\",\"rdfs:label\":[\"Desktop Computer\"]},{\"@id\":\"d3f:DeveloperApplication\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:BuildTool\"},{\"@id\":\"d3f:CodeAnalyzer\"},{\"@id\":\"d3f:TestExecutionTool\"},{\"@id\":\"d3f:VersionControlTool\"},{\"@id\":\"d3f:NetworkTrafficAnalysisSoftware\"}],\"rdfs:label\":[\"Developer Application\"]},{\"@id\":\"d3f:DialUpModem\",\"rdfs:label\":[\"Dial Up Modem\"]},{\"@id\":\"d3f:DifferentialVolumeSnapshot\",\"rdfs:label\":[\"Differential Volume Snapshot\"]},{\"@id\":\"d3f:DigitalArtifact\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DigitalInformationBearer\"},{\"@id\":\"d3f:DigitalInformation\"}],\"rdfs:label\":[\"Digital Artifact\"]},{\"@id\":\"d3f:DigitalEventRecord\",\"rdfs:label\":[\"Digital Event Record\"]},{\"@id\":\"d3f:DigitalFingerprint\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:FileHash\"}],\"rdfs:label\":[\"Digital Fingerprint\"]},{\"@id\":\"d3f:DigitalIdentity\",\"rdfs:label\":[\"Digital Identity\"]},{\"@id\":\"d3f:DigitalInformation\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DigitalIdentity\"},{\"@id\":\"d3f:Command\"},{\"@id\":\"d3f:CryptographicKey\"},{\"@id\":\"d3f:DomainRegistration\"},{\"@id\":\"d3f:Identifier\"},{\"@id\":\"d3f:Metadata\"},{\"@id\":\"d3f:NetworkFlow\"},{\"@id\":\"d3f:Pointer\"},{\"@id\":\"d3f:Software\"},{\"@id\":\"d3f:MemoryExtent\"},{\"@id\":\"d3f:MemoryAddress\"},{\"@id\":\"d3f:JobSchedule\"}],\"rdfs:label\":[\"Digital Information\"]},{\"@id\":\"d3f:DigitalInformationBearer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:BlockDevice\"},{\"@id\":\"d3f:CallStack\"},{\"@id\":\"d3f:Certificate\"},{\"@id\":\"d3f:ComputerPlatform\"},{\"@id\":\"d3f:InternetPersona\"},{\"@id\":\"d3f:Repository\"},{\"@id\":\"d3f:ComputingImage\"},{\"@id\":\"d3f:ComputingSnapshot\"},{\"@id\":\"d3f:UserProfile\"},{\"@id\":\"d3f:BinaryLargeObject\"},{\"@id\":\"d3f:BinarySegment\"},{\"@id\":\"d3f:Clipboard\"},{\"@id\":\"d3f:Credential\"},{\"@id\":\"d3f:Database\"},{\"@id\":\"d3f:DecoyArtifact\"},{\"@id\":\"d3f:DigitalSystem\"},{\"@id\":\"d3f:Directory\"},{\"@id\":\"d3f:DisplayServer\"},{\"@id\":\"d3f:DNSLookup\"},{\"@id\":\"d3f:Enclave\"},{\"@id\":\"d3f:FileSection\"},{\"@id\":\"d3f:FileSystem\"},{\"@id\":\"d3f:FileSystemLink\"},{\"@id\":\"d3f:HardwareDevice\"},{\"@id\":\"d3f:HardwareDriver\"},{\"@id\":\"d3f:InterprocessCommunication\"},{\"@id\":\"d3f:IntrusionDetectionSystem\"},{\"@id\":\"d3f:KernelProcessTable\"},{\"@id\":\"d3f:Log\"},{\"@id\":\"d3f:Network\"},{\"@id\":\"d3f:NetworkNode\"},{\"@id\":\"d3f:NetworkPackets\"},{\"@id\":\"d3f:NetworkTraffic\"},{\"@id\":\"d3f:OperatingSystem\"},{\"@id\":\"d3f:Partition\"},{\"@id\":\"d3f:PartitionTable\"},{\"@id\":\"d3f:Pipe\"},{\"@id\":\"d3f:Process\"},{\"@id\":\"d3f:ProcessTree\"},{\"@id\":\"d3f:Record\"},{\"@id\":\"d3f:Resource\"},{\"@id\":\"d3f:Sensor\"},{\"@id\":\"d3f:Session\"},{\"@id\":\"d3f:StackComponent\"},{\"@id\":\"d3f:Storage\"},{\"@id\":\"d3f:SystemCall\"},{\"@id\":\"d3f:TrustStore\"},{\"@id\":\"d3f:User\"},{\"@id\":\"d3f:UserAccount\"},{\"@id\":\"d3f:UserAction\"},{\"@id\":\"d3f:UserBehavior\"},{\"@id\":\"d3f:UserInterface\"},{\"@id\":\"d3f:UserToUserMessage\"},{\"@id\":\"d3f:Volume\"},{\"@id\":\"d3f:Dependency\"},{\"@id\":\"d3f:Link\"},{\"@id\":\"d3f:AddressSpace\"},{\"@id\":\"d3f:ShadowStack\"},{\"@id\":\"d3f:Thread\"},{\"@id\":\"d3f:PageTable\"},{\"@id\":\"d3f:SoftwarePackage\"},{\"@id\":\"d3f:AccessMediator\"}],\"rdfs:label\":[\"Digital Information Bearer\"]},{\"@id\":\"d3f:DigitalSystem\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LegacySystem\"}],\"rdfs:label\":[\"Digital System\"]},{\"@id\":\"d3f:Directory\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:StartupDirectory\"},{\"@id\":\"d3f:SystemStartupDirectory\"}],\"rdfs:label\":[\"Directory\"]},{\"@id\":\"d3f:DirectoryService\",\"rdfs:label\":[\"Directory Service\"]},{\"@id\":\"d3f:DiskImage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OpticalDiscImage\"}],\"rdfs:label\":[\"Disk Image\"]},{\"@id\":\"d3f:DisplayAdapter\",\"rdfs:label\":[\"Display Adapter\"],\"skos:altLabel\":[\"Display Card\",\"Graphics Adapter\",\"Video Card\"]},{\"@id\":\"d3f:DisplayDeviceDriver\",\"rdfs:label\":[\"Display Device Driver\"]},{\"@id\":\"d3f:DisplayServer\",\"rdfs:label\":[\"Display Server\"],\"skos:altLabel\":[\"Window Server\"]},{\"@id\":\"d3f:DocumentFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Email\"},{\"@id\":\"d3f:EmailAttachment\"},{\"@id\":\"d3f:HTMLFile\"},{\"@id\":\"d3f:OfficeApplicationFile\"},{\"@id\":\"d3f:MultimediaDocumentFile\"}],\"rdfs:label\":[\"Document File\"]},{\"@id\":\"d3f:DomainName\",\"rdfs:label\":[\"Domain Name\"]},{\"@id\":\"d3f:DomainRegistration\",\"rdfs:label\":[\"Domain Registration\"],\"skos:altLabel\":[\"Domain Name Registration Data\"]},{\"@id\":\"d3f:DomainUserAccount\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:GlobalUserAccount\"}],\"rdfs:label\":[\"Domain User Account\"]},{\"@id\":\"d3f:DynamicAnalysisTool\",\"rdfs:label\":[\"Dynamic Analysis Tool\"]},{\"@id\":\"d3f:Email\",\"rdfs:label\":[\"Email\"]},{\"@id\":\"d3f:EmailAttachment\",\"rdfs:label\":[\"Email Attachment\"]},{\"@id\":\"d3f:EmailRule\",\"rdfs:label\":[\"Email Rule\"]},{\"@id\":\"d3f:EmbeddedComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTEmbeddedComputer\"}],\"rdfs:label\":[\"Embedded Computer\"],\"skos:altLabel\":[\"Embedded System\"]},{\"@id\":\"d3f:Enclave\",\"rdfs:label\":[\"Enclave\"],\"skos:altLabel\":[\"Network Enclave\"]},{\"@id\":\"d3f:EncryptedCredential\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:EncryptedPassword\"}],\"rdfs:label\":[\"Encrypted Credential\"]},{\"@id\":\"d3f:EncryptedPassword\",\"rdfs:label\":[\"Encrypted Password\"]},{\"@id\":\"d3f:EndpointSensor\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationInventorySensor\"},{\"@id\":\"d3f:FileSystemSensor\"},{\"@id\":\"d3f:FirmwareSensor\"},{\"@id\":\"d3f:HostConfigurationSensor\"},{\"@id\":\"d3f:KernelAPISensor\"}],\"rdfs:label\":[\"Endpoint Sensor\"]},{\"@id\":\"d3f:EvalFunction\",\"rdfs:label\":[\"Eval Function\"]},{\"@id\":\"d3f:EventLog\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AuthenticationLog\"},{\"@id\":\"d3f:AuthorizationLog\"},{\"@id\":\"d3f:CommandHistoryLog\"}],\"rdfs:label\":[\"Event Log\"]},{\"@id\":\"d3f:ExceptionHandler\",\"rdfs:label\":[\"Exception Handler\"]},{\"@id\":\"d3f:Exec\",\"rdfs:label\":[\"Exec\"]},{\"@id\":\"d3f:ExecutableBinary\",\"rdfs:label\":[\"Executable Binary\"]},{\"@id\":\"d3f:ExecutableFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ExecutableBinary\"},{\"@id\":\"d3f:ExecutableScript\"}],\"rdfs:label\":[\"Executable File\"],\"skos:altLabel\":[\"Executable\"]},{\"@id\":\"d3f:ExecutableScript\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserStartupScriptFile\"},{\"@id\":\"d3f:SystemInitScript\"},{\"@id\":\"d3f:UserInitScript\"},{\"@id\":\"d3f:InitScript\"},{\"@id\":\"d3f:PythonScriptFile\"},{\"@id\":\"d3f:WebScriptFile\"}],\"rdfs:label\":[\"Executable Script\"]},{\"@id\":\"d3f:ExternalContentInclusionFunction\",\"rdfs:label\":[\"External Content Inclusion Function\"]},{\"@id\":\"d3f:FastSymbolicLink\",\"rdfs:label\":[\"Fast Symbolic Link\"],\"skos:altLabel\":[\"Fast Symlink\"]},{\"@id\":\"d3f:File\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SoftwareLibraryFile\"},{\"@id\":\"d3f:ObjectFile\"},{\"@id\":\"d3f:OperatingSystemFile\"},{\"@id\":\"d3f:ShortcutFile\"},{\"@id\":\"d3f:DatabaseFile\"},{\"@id\":\"d3f:StorageImage\"},{\"@id\":\"d3f:NTFSLink\"},{\"@id\":\"d3f:PasswordFile\"},{\"@id\":\"d3f:SymbolicLink\"},{\"@id\":\"d3f:LogFile\"},{\"@id\":\"d3f:ArchiveFile\"},{\"@id\":\"d3f:CertificateFile\"},{\"@id\":\"d3f:ConfigurationFile\"},{\"@id\":\"d3f:DocumentFile\"},{\"@id\":\"d3f:ExecutableFile\"}],\"rdfs:label\":[\"File\"]},{\"@id\":\"d3f:FileHash\",\"rdfs:label\":[\"File Hash\"]},{\"@id\":\"d3f:FilePathOpenFunction\",\"rdfs:label\":[\"File Path Open Function\"]},{\"@id\":\"d3f:FileSection\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ImageSegment\"},{\"@id\":\"d3f:ResourceFork\"}],\"rdfs:label\":[\"File Section\"],\"skos:altLabel\":[\"File Part\"]},{\"@id\":\"d3f:FileServer\",\"rdfs:label\":[\"File Server\"]},{\"@id\":\"d3f:FileShareService\",\"rdfs:label\":[\"File Share Service\"]},{\"@id\":\"d3f:FileSystem\",\"rdfs:label\":[\"File System\"]},{\"@id\":\"d3f:FileSystemLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:HardLink\"},{\"@id\":\"d3f:NTFSLink\"},{\"@id\":\"d3f:SymbolicLink\"},{\"@id\":\"d3f:UnixLink\"}],\"rdfs:label\":[\"File System Link\"]},{\"@id\":\"d3f:FileSystemMetadata\",\"rdfs:label\":[\"File System Metadata\"]},{\"@id\":\"d3f:FileSystemSensor\",\"rdfs:label\":[\"File System Sensor\"]},{\"@id\":\"d3f:FileTransferNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetFileTransferTraffic\"},{\"@id\":\"d3f:InternetFileTransferTraffic\"},{\"@id\":\"d3f:IntranetFileTransferTraffic\"}],\"rdfs:label\":[\"File Transfer Network Traffic\"]},{\"@id\":\"d3f:FingerPrintScannerInputDevice\",\"rdfs:label\":[\"Finger Print Scanner Input Device\"],\"skos:altLabel\":[\"Fingerprint Sensor\"]},{\"@id\":\"d3f:Firewall\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationLayerFirewall\"}],\"rdfs:label\":[\"Firewall\"],\"skos:altLabel\":[\"Network Firewall\"]},{\"@id\":\"d3f:Firmware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PeripheralFirmware\"},{\"@id\":\"d3f:SystemFirmware\"},{\"@id\":\"d3f:Microcode\"}],\"rdfs:label\":[\"Firmware\"]},{\"@id\":\"d3f:FirmwareSensor\",\"rdfs:label\":[\"Firmware Sensor\"]},{\"@id\":\"d3f:First-stageBootLoader\",\"rdfs:label\":[\"First-stage Boot Loader\"]},{\"@id\":\"d3f:FlashMemory\",\"rdfs:label\":[\"Flash Memory\"]},{\"@id\":\"d3f:ForwardProxyServer\",\"rdfs:label\":[\"Forward Proxy Server\"]},{\"@id\":\"d3f:FreeMemory\",\"rdfs:label\":[\"Free Memory\"]},{\"@id\":\"d3f:FullVolumeSnapshot\",\"rdfs:label\":[\"Full Volume Snapshot\"]},{\"@id\":\"d3f:GetOpenSockets\",\"rdfs:label\":[\"Get Open Sockets\"]},{\"@id\":\"d3f:GetOpenWindows\",\"rdfs:label\":[\"Get Open Windows\"]},{\"@id\":\"d3f:GetRunningProcesses\",\"rdfs:label\":[\"Get Running Processes\"]},{\"@id\":\"d3f:GetScreenCapture\",\"rdfs:label\":[\"Get Screen Capture\"]},{\"@id\":\"d3f:GetSystemConfigValue\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:GetSystemNetworkConfigValue\"}],\"rdfs:label\":[\"Get System Config Value\"]},{\"@id\":\"d3f:GetSystemNetworkConfigValue\",\"rdfs:label\":[\"Get System Network Config Value\"]},{\"@id\":\"d3f:GetSystemTime\",\"rdfs:label\":[\"Get System Time\"]},{\"@id\":\"d3f:GetThreadContext\",\"rdfs:label\":[\"Get Thread Context\"]},{\"@id\":\"d3f:GlobalUserAccount\",\"rdfs:label\":[\"Global User Account\"]},{\"@id\":\"d3f:GraphicalUserInterface\",\"rdfs:label\":[\"Graphical User Interface\"],\"skos:altLabel\":[\"GUI\"]},{\"@id\":\"d3f:GraphicsCardFirmware\",\"rdfs:label\":[\"Graphics Card Firmware\"],\"skos:altLabel\":[\"Video Card Firmware\"]},{\"@id\":\"d3f:GraphicsProcessingUnit\",\"rdfs:label\":[\"Graphics Processing Unit\"]},{\"@id\":\"d3f:GroupPolicy\",\"rdfs:label\":[\"Group Policy\"]},{\"@id\":\"d3f:HTMLFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MicrosoftHTMLApplication\"}],\"rdfs:label\":[\"HTML File\"],\"skos:altLabel\":[\"HTML File\"]},{\"@id\":\"d3f:HardDiskFirmware\",\"rdfs:label\":[\"Hard Disk Firmware\"],\"skos:altLabel\":[\"Hard Drive Firmware\"]},{\"@id\":\"d3f:HardLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NTFSHardLink\"},{\"@id\":\"d3f:UnixHardLink\"}],\"rdfs:label\":[\"Hard Link\"]},{\"@id\":\"d3f:HardwareDevice\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PrimaryStorage\"},{\"@id\":\"d3f:Processor\"},{\"@id\":\"d3f:SecondaryStorage\"},{\"@id\":\"d3f:TertiaryStorage\"},{\"@id\":\"d3f:MemoryManagementUnitComponent\"},{\"@id\":\"d3f:ProcessorComponent\"},{\"@id\":\"d3f:IOModule\"},{\"@id\":\"d3f:PowerSupply\"},{\"@id\":\"d3f:NetworkInterfaceCard\"},{\"@id\":\"d3f:InputDevice\"},{\"@id\":\"d3f:OutputDevice\"},{\"@id\":\"d3f:RemovableMediaDevice\"},{\"@id\":\"d3f:SecurityToken\"}],\"rdfs:label\":[\"Hardware Device\"]},{\"@id\":\"d3f:HardwareDriver\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DisplayDeviceDriver\"}],\"rdfs:label\":[\"Hardware Driver\"],\"skos:altLabel\":[\"Device Driver\"]},{\"@id\":\"d3f:HeapSegment\",\"rdfs:label\":[\"Heap Segment\"]},{\"@id\":\"d3f:Host\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ClientComputer\"},{\"@id\":\"d3f:Server\"}],\"rdfs:label\":[\"Host\"],\"skos:altLabel\":[\"Network Host\"]},{\"@id\":\"d3f:Host-basedFirewall\",\"rdfs:label\":[\"Host-based Firewall\"]},{\"@id\":\"d3f:HostConfigurationSensor\",\"rdfs:label\":[\"Host Configuration Sensor\"]},{\"@id\":\"d3f:HostGroup\",\"rdfs:label\":[\"Host Group\"]},{\"@id\":\"d3f:Hostname\",\"rdfs:label\":[\"Hostname\"],\"skos:altLabel\":[\"Nodename\"]},{\"@id\":\"d3f:HumanInputDeviceFirmware\",\"rdfs:label\":[\"Human Input Device Firmware\"]},{\"@id\":\"d3f:IOModule\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTIOModule\"}],\"rdfs:label\":[\"I/O Module\"]},{\"@id\":\"d3f:IPAddress\",\"rdfs:label\":[\"IP Address\"]},{\"@id\":\"d3f:IPCNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:IntranetIPCNetworkTraffic\"}],\"rdfs:label\":[\"IPC Network Traffic\"]},{\"@id\":\"d3f:IPPhone\",\"rdfs:label\":[\"IP Phone\"],\"skos:altLabel\":[\"VoIP Phone\"]},{\"@id\":\"d3f:Identifier\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DigitalFingerprint\"},{\"@id\":\"d3f:MACAddress\"},{\"@id\":\"d3f:DomainName\"},{\"@id\":\"d3f:Hostname\"},{\"@id\":\"d3f:IPAddress\"},{\"@id\":\"d3f:URL\"}],\"rdfs:label\":[\"Identifier\"],\"skos:altLabel\":[\"ID\"]},{\"@id\":\"d3f:ImageCodeSegment\",\"rdfs:label\":[\"Image Code Segment\"]},{\"@id\":\"d3f:ImageDataSegment\",\"rdfs:label\":[\"Image Data Segment\"]},{\"@id\":\"d3f:ImageScannerInputDevice\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:BarcodeScannerInputDevice\"},{\"@id\":\"d3f:FingerPrintScannerInputDevice\"}],\"rdfs:label\":[\"Image Scanner Input Device\"],\"skos:altLabel\":[\"Scanner\"]},{\"@id\":\"d3f:ImageSegment\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ImageCodeSegment\"},{\"@id\":\"d3f:ImageDataSegment\"}],\"rdfs:label\":[\"Image Segment\"]},{\"@id\":\"d3f:ImpersonateUser\",\"rdfs:label\":[\"Impersonate User\"]},{\"@id\":\"d3f:ImportLibraryFunction\",\"rdfs:label\":[\"Import Library Function\"]},{\"@id\":\"d3f:In-memoryPasswordStore\",\"rdfs:label\":[\"In-memory Password Store\"]},{\"@id\":\"d3f:InboundInternetDNSResponseTraffic\",\"rdfs:label\":[\"Inbound Internet DNS Response Traffic\"]},{\"@id\":\"d3f:InboundInternetMailTraffic\",\"rdfs:label\":[\"Inbound Internet Mail Traffic\"]},{\"@id\":\"d3f:InboundInternetNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:InboundInternetMailTraffic\"},{\"@id\":\"d3f:InboundInternetDNSResponseTraffic\"}],\"rdfs:label\":[\"Inbound Internet Network Traffic\"]},{\"@id\":\"d3f:InboundNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:InboundInternetMailTraffic\"},{\"@id\":\"d3f:InboundInternetNetworkTraffic\"}],\"rdfs:label\":[\"Inbound Network Traffic\"]},{\"@id\":\"d3f:InitScript\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserInitScript\"},{\"@id\":\"d3f:NetworkInitScriptFileResource\"}],\"rdfs:label\":[\"Init Script\"],\"skos:altLabel\":[\"Initialization Script\"]},{\"@id\":\"d3f:InputDevice\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MouseInputDevice\"},{\"@id\":\"d3f:VideoInputDevice\"},{\"@id\":\"d3f:KeyboardInputDevice\"},{\"@id\":\"d3f:AudioInputDevice\"}],\"rdfs:label\":[\"Input Device\"]},{\"@id\":\"d3f:InputFunction\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserInputFunction\"}],\"rdfs:label\":[\"Input Function\"]},{\"@id\":\"d3f:InstantMessagingClient\",\"rdfs:label\":[\"Instant Messaging Client\"]},{\"@id\":\"d3f:IntegrationTestExecutionTool\",\"rdfs:label\":[\"Integration Test Execution Tool\"]},{\"@id\":\"d3f:InternetDNSLookup\",\"rdfs:label\":[\"Internet DNS Lookup\"]},{\"@id\":\"d3f:InternetFileTransferTraffic\",\"rdfs:label\":[\"Internet File Transfer Traffic\"]},{\"@id\":\"d3f:InternetNetwork\",\"rdfs:label\":[\"Internet Network\"],\"skos:altLabel\":[\"Interconnected Network\",\"Internet\",\"Internetwork\"]},{\"@id\":\"d3f:InternetNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetNetworkTraffic\"},{\"@id\":\"d3f:InboundInternetNetworkTraffic\"},{\"@id\":\"d3f:InternetFileTransferTraffic\"}],\"rdfs:label\":[\"Internet Network Traffic\"]},{\"@id\":\"d3f:InternetPersona\",\"rdfs:label\":[\"Internet Persona\"],\"skos:altLabel\":[\"Online Identity\",\"Online Persona\",\"Online Personality\"]},{\"@id\":\"d3f:InterprocessCommunication\",\"rdfs:label\":[\"Interprocess Communication\"]},{\"@id\":\"d3f:IntranetAdministrativeNetworkTraffic\",\"rdfs:label\":[\"Intranet Administrative Network Traffic\"]},{\"@id\":\"d3f:IntranetDNSLookup\",\"rdfs:label\":[\"Intranet DNS Lookup\"]},{\"@id\":\"d3f:IntranetFileTransferTraffic\",\"rdfs:label\":[\"Intranet File Transfer Traffic\"]},{\"@id\":\"d3f:IntranetIPCNetworkTraffic\",\"rdfs:label\":[\"Intranet IPC Network Traffic\"]},{\"@id\":\"d3f:IntranetMulticastNetworkTraffic\",\"rdfs:label\":[\"Intranet Multicast Network Traffic\"]},{\"@id\":\"d3f:IntranetNetwork\",\"rdfs:label\":[\"Intranet Network\"]},{\"@id\":\"d3f:IntranetNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:IntranetMulticastNetworkTraffic\"},{\"@id\":\"d3f:IntranetRPCNetworkTraffic\"},{\"@id\":\"d3f:IntranetWebNetworkTraffic\"},{\"@id\":\"d3f:LocalAreaNetworkTraffic\"},{\"@id\":\"d3f:IntranetAdministrativeNetworkTraffic\"},{\"@id\":\"d3f:IntranetFileTransferTraffic\"},{\"@id\":\"d3f:IntranetIPCNetworkTraffic\"}],\"rdfs:label\":[\"Intranet Network Traffic\"]},{\"@id\":\"d3f:IntranetRPCNetworkTraffic\",\"rdfs:label\":[\"Intranet RPC Network Traffic\"]},{\"@id\":\"d3f:IntranetWebNetworkTraffic\",\"rdfs:label\":[\"Intranet Web Network Traffic\"]},{\"@id\":\"d3f:IntrusionDetectionSystem\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:IntrusionPreventionSystem\"}],\"rdfs:label\":[\"Intrusion Detection System\"],\"skos:altLabel\":[\"IDS\"]},{\"@id\":\"d3f:IntrusionPreventionSystem\",\"rdfs:label\":[\"Intrusion Prevention System\"],\"skos:altLabel\":[\"IDPS\",\"Intrusion Detection and Prevention System\",\"IPS\"]},{\"@id\":\"d3f:JavaArchive\",\"rdfs:label\":[\"Java Archive\"]},{\"@id\":\"d3f:JavaScriptBlob\",\"rdfs:label\":[\"JavaScript Blob\"]},{\"@id\":\"d3f:JobSchedule\",\"rdfs:label\":[\"Job Schedule\"]},{\"@id\":\"d3f:JobSchedulerSoftware\",\"rdfs:label\":[\"Job Scheduler Software\"]},{\"@id\":\"d3f:KerberosTicket\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KerberosTicketGrantingServiceTicket\"},{\"@id\":\"d3f:KerberosTicketGrantingTicket\"}],\"rdfs:label\":[\"Kerberos Ticket\"]},{\"@id\":\"d3f:KerberosTicketGrantingServiceTicket\",\"rdfs:label\":[\"Kerberos Ticket Granting Service Ticket\"],\"skos:altLabel\":[\"TGS Ticket\"]},{\"@id\":\"d3f:KerberosTicketGrantingTicket\",\"rdfs:label\":[\"Kerberos Ticket Granting Ticket\"]},{\"@id\":\"d3f:KerberosTicketGrantingTicketAccount\",\"rdfs:label\":[\"Kerberos Ticket Granting Ticket Account\"]},{\"@id\":\"d3f:Kernel\",\"rdfs:label\":[\"Kernel\"]},{\"@id\":\"d3f:KernelAPISensor\",\"rdfs:label\":[\"Kernel API Sensor\"]},{\"@id\":\"d3f:KernelModule\",\"rdfs:label\":[\"Kernel Module\"],\"skos:altLabel\":[\"LKM\",\"Loadable Kernel Module\"]},{\"@id\":\"d3f:KernelProcessTable\",\"rdfs:label\":[\"Kernel Process Table\"]},{\"@id\":\"d3f:KeyboardInputDevice\",\"rdfs:label\":[\"Keyboard Input Device\"],\"skos:altLabel\":[\"Computer Keyboard\",\"Keyboard\"]},{\"@id\":\"d3f:KioskComputer\",\"rdfs:label\":[\"Kiosk Computer\"],\"skos:altLabel\":[\"Interactive Kiosk\"]},{\"@id\":\"d3f:LaptopComputer\",\"rdfs:label\":[\"Laptop Computer\"],\"skos:altLabel\":[\"Laptop\",\"Notebook\"]},{\"@id\":\"d3f:LegacySystem\",\"rdfs:label\":[\"Legacy System\"]},{\"@id\":\"d3f:Link\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LogicalLink\"},{\"@id\":\"d3f:PhysicalLink\"}],\"rdfs:label\":[\"Link\"]},{\"@id\":\"d3f:LinuxClone\",\"rdfs:label\":[\"Linux Clone\"]},{\"@id\":\"d3f:LinuxClone3\",\"rdfs:label\":[\"Linux Clone3\"]},{\"@id\":\"d3f:LinuxClone3ArgumentCLONE_THREAD\",\"rdfs:label\":[\"Linux Clone3 Argument CLONE_THREAD\"]},{\"@id\":\"d3f:LinuxCloneArgumentCLONE_THREAD\",\"rdfs:label\":[\"Linux Clone Argument CLONE_THREAD\"]},{\"@id\":\"d3f:LinuxConnect\",\"rdfs:label\":[\"Linux Connect\"]},{\"@id\":\"d3f:LinuxCreat\",\"rdfs:label\":[\"Linux Creat\"]},{\"@id\":\"d3f:LinuxDeleteModule\",\"rdfs:label\":[\"Linux Delete Module\"]},{\"@id\":\"d3f:LinuxExecve\",\"rdfs:label\":[\"Linux Execve\"]},{\"@id\":\"d3f:LinuxExecveat\",\"rdfs:label\":[\"Linux Execveat\"]},{\"@id\":\"d3f:LinuxFork\",\"rdfs:label\":[\"Linux Fork\"]},{\"@id\":\"d3f:LinuxInitModule\",\"rdfs:label\":[\"Linux Init Module\"]},{\"@id\":\"d3f:LinuxKillArgumentSIGKILL\",\"rdfs:label\":[\"Linux Kill Argument SIGKILL\"]},{\"@id\":\"d3f:LinuxMmap\",\"rdfs:label\":[\"Linux Mmap\"]},{\"@id\":\"d3f:LinuxMmap2\",\"rdfs:label\":[\"Linux Mmap2\"]},{\"@id\":\"d3f:LinuxMunmap\",\"rdfs:label\":[\"Linux Munmap\"]},{\"@id\":\"d3f:LinuxOpenArgumentO_CREAT\",\"rdfs:label\":[\"Linux Open Argument O_CREAT\"]},{\"@id\":\"d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR\",\"rdfs:label\":[\"Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR\"]},{\"@id\":\"d3f:LinuxOpenAt2ArgumentO_CREAT\",\"rdfs:label\":[\"Linux OpenAt2 Argument O_CREAT\"]},{\"@id\":\"d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR\",\"rdfs:label\":[\"Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR\"]},{\"@id\":\"d3f:LinuxOpenAtArgumentO_CREAT\",\"rdfs:label\":[\"Linux OpenAt Argument O_CREAT\"]},{\"@id\":\"d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR\",\"rdfs:label\":[\"Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR\"]},{\"@id\":\"d3f:LinuxPauseProcess\",\"rdfs:label\":[\"Linux Pause Process\"]},{\"@id\":\"d3f:LinuxPauseThread\",\"rdfs:label\":[\"Linux Pause Thread\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEATTACH\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_ATTACH\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACECONT\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_CONT\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEGETREGS\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_GETREGS\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEINTERRUPT\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_INTERRUPT\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEPEEKTEXT\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_PEEKTEXT\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEPOKETEXT\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_POKETEXT\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACESETREGS\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_SETREGS\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACE_DETACH\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_DETACH\"]},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACE_TRACEME\",\"rdfs:label\":[\"Linux Ptrace Argument PTRACE_TRACEME\"]},{\"@id\":\"d3f:LinuxRead\",\"rdfs:label\":[\"Linux Read\"]},{\"@id\":\"d3f:LinuxReadv\",\"rdfs:label\":[\"Linux Readv\"]},{\"@id\":\"d3f:LinuxRename\",\"rdfs:label\":[\"Linux Rename\"]},{\"@id\":\"d3f:LinuxRenameat\",\"rdfs:label\":[\"Linux Renameat\"]},{\"@id\":\"d3f:LinuxRenameat2\",\"rdfs:label\":[\"Linux Renameat2\"]},{\"@id\":\"d3f:LinuxSocket\",\"rdfs:label\":[\"Linux Socket\"]},{\"@id\":\"d3f:LinuxSocketcallArgumentSYS_CONNECT\",\"rdfs:label\":[\"Linux Socketcall Argument SYS_CONNECT\"]},{\"@id\":\"d3f:LinuxSocketcallArgumentSYS_SOCKET\",\"rdfs:label\":[\"Linux Socketcall Argument SYS_SOCKET\"]},{\"@id\":\"d3f:LinuxTime\",\"rdfs:label\":[\"Linux Time\"]},{\"@id\":\"d3f:LinuxUnlink\",\"rdfs:label\":[\"Linux Unlink\"]},{\"@id\":\"d3f:LinuxUnlinkat\",\"rdfs:label\":[\"Linux Unlinkat\"]},{\"@id\":\"d3f:LinuxVfork\",\"rdfs:label\":[\"Linux Vfork\"]},{\"@id\":\"d3f:LinuxWrite\",\"rdfs:label\":[\"Linux Write\"]},{\"@id\":\"d3f:LinuxWritev\",\"rdfs:label\":[\"Linux Writev\"]},{\"@id\":\"d3f:Linux_Exit\",\"rdfs:label\":[\"Linux _Exit\"]},{\"@id\":\"d3f:LoadModule\",\"rdfs:label\":[\"Load Module\"]},{\"@id\":\"d3f:LocalAreaNetwork\",\"rdfs:label\":[\"Local Area Network\"],\"skos:altLabel\":[\"LAN\"]},{\"@id\":\"d3f:LocalAreaNetworkTraffic\",\"rdfs:label\":[\"Local Area Network Traffic\"]},{\"@id\":\"d3f:LocalAuthenticationService\",\"rdfs:label\":[\"Local Authentication Service\"]},{\"@id\":\"d3f:LocalAuthorizationService\",\"rdfs:label\":[\"Local Authorization Service\"]},{\"@id\":\"d3f:LocalResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SystemConfigurationInitResource\"},{\"@id\":\"d3f:UserLogonInitResource\"},{\"@id\":\"d3f:InputDevice\"},{\"@id\":\"d3f:StartupDirectory\"}],\"rdfs:label\":[\"Local Resource\"],\"skos:altLabel\":[\"System Resource\"]},{\"@id\":\"d3f:LocalResourceAccess\",\"rdfs:label\":[\"Local Resource Access\"],\"skos:altLabel\":[\"Endpoint Resource Access\"]},{\"@id\":\"d3f:LocalUserAccount\",\"rdfs:label\":[\"Local User Account\"]},{\"@id\":\"d3f:Log\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:EventLog\"},{\"@id\":\"d3f:PacketLog\"}],\"rdfs:label\":[\"Log\"],\"skos:altLabel\":[\"Chronology\"]},{\"@id\":\"d3f:LogFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CommandHistoryLogFile\"},{\"@id\":\"d3f:OperatingSystemLogFile\"}],\"rdfs:label\":[\"Log File\"]},{\"@id\":\"d3f:LogMessageFunction\",\"rdfs:label\":[\"Log Message Function\"]},{\"@id\":\"d3f:LogicalLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationLayerLink\"},{\"@id\":\"d3f:DataLinkLink\"},{\"@id\":\"d3f:NetworkLink\"},{\"@id\":\"d3f:TransportLink\"}],\"rdfs:label\":[\"Logical Link\"]},{\"@id\":\"d3f:LoginSession\",\"rdfs:label\":[\"Login Session\"],\"skos:altLabel\":[\"Logon Session\"]},{\"@id\":\"d3f:LogonUser\",\"rdfs:label\":[\"Logon User\"]},{\"@id\":\"d3f:MACAddress\",\"rdfs:label\":[\"MAC Address\"]},{\"@id\":\"d3f:MacOSKeychain\",\"rdfs:label\":[\"MacOS Keychain\"],\"skos:altLabel\":[\"Keychain\"]},{\"@id\":\"d3f:MailNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:InboundInternetMailTraffic\"}],\"rdfs:label\":[\"Mail Network Traffic\"]},{\"@id\":\"d3f:MailServer\",\"rdfs:label\":[\"Mail Server\"],\"skos:altLabel\":[\"Email Server Resource\",\"Mail Exchanger\",\"Mail transfer agent\",\"Message transfer agent\",\"MTA\",\"MX Host\"]},{\"@id\":\"d3f:MailService\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MessageTransferAgent\"}],\"rdfs:label\":[\"Mail Service\"],\"skos:altLabel\":[\"Email Service\"]},{\"@id\":\"d3f:MathematicalFunction\",\"rdfs:label\":[\"Mathematical Function\"]},{\"@id\":\"d3f:MediaServer\",\"rdfs:label\":[\"Media Server\"]},{\"@id\":\"d3f:MemoryAddress\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PhysicalAddress\"},{\"@id\":\"d3f:VirtualAddress\"}],\"rdfs:label\":[\"Memory Address\"]},{\"@id\":\"d3f:MemoryAddressSpace\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:VirtualMemorySpace\"}],\"rdfs:label\":[\"Memory Address Space\"]},{\"@id\":\"d3f:MemoryAllocationFunction\",\"rdfs:label\":[\"Memory Allocation Function\"]},{\"@id\":\"d3f:MemoryBlock\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:TertiaryStorage\"},{\"@id\":\"d3f:Page\"},{\"@id\":\"d3f:PageFrame\"}],\"rdfs:label\":[\"Memory Block\"]},{\"@id\":\"d3f:MemoryExtent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MemoryBlock\"},{\"@id\":\"d3f:MemoryPool\"},{\"@id\":\"d3f:MemoryWord\"}],\"rdfs:label\":[\"Memory Extent\"]},{\"@id\":\"d3f:MemoryFreeFunction\",\"rdfs:label\":[\"Memory Free Function\"]},{\"@id\":\"d3f:MemoryManagementUnit\",\"rdfs:label\":[\"Memory Management Unit\"]},{\"@id\":\"d3f:MemoryManagementUnitComponent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:TranslationLookasideBuffer\"}],\"rdfs:label\":[\"Memory Management Unit Component\"]},{\"@id\":\"d3f:MemoryPool\",\"rdfs:label\":[\"Memory Pool\"]},{\"@id\":\"d3f:MemoryProtectionUnit\",\"rdfs:label\":[\"Memory Protection Unit\"]},{\"@id\":\"d3f:MemoryWord\",\"rdfs:label\":[\"Memory Word\"]},{\"@id\":\"d3f:MessageTransferAgent\",\"rdfs:label\":[\"Message Transfer Agent\"],\"skos:altLabel\":[\"Mail Transfer Agent\",\"MTA\"]},{\"@id\":\"d3f:Metadata\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:FileSystemMetadata\"}],\"rdfs:label\":[\"Metadata\"]},{\"@id\":\"d3f:Microcode\",\"rdfs:label\":[\"Microcode\"]},{\"@id\":\"d3f:MicrosoftHTMLApplication\",\"rdfs:label\":[\"Microsoft HTML Application\"]},{\"@id\":\"d3f:MobilePhone\",\"rdfs:label\":[\"Mobile Phone\"],\"skos:altLabel\":[\"Cellphone\",\"Cellular Phone\"]},{\"@id\":\"d3f:Modem\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DialUpModem\"},{\"@id\":\"d3f:OpticalModem\"},{\"@id\":\"d3f:RadioModem\"}],\"rdfs:label\":[\"Modem\"]},{\"@id\":\"d3f:MouseInputDevice\",\"rdfs:label\":[\"Mouse Input Device\"],\"skos:altLabel\":[\"Computer Mouse\"]},{\"@id\":\"d3f:MoveFile\",\"rdfs:label\":[\"Move File\"],\"skos:altLabel\":[\"Rename File\"]},{\"@id\":\"d3f:MultimediaDocumentFile\",\"rdfs:label\":[\"Multimedia Document File\"]},{\"@id\":\"d3f:NTFSHardLink\",\"rdfs:label\":[\"NTFS Hard Link\"]},{\"@id\":\"d3f:NTFSJunctionPoint\",\"rdfs:label\":[\"NTFS Junction Point\"],\"skos:altLabel\":[\"Junction Point\"]},{\"@id\":\"d3f:NTFSLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NTFSHardLink\"},{\"@id\":\"d3f:NTFSJunctionPoint\"},{\"@id\":\"d3f:NTFSSymbolicLink\"}],\"rdfs:label\":[\"NTFS Link\"]},{\"@id\":\"d3f:NTFSSymbolicLink\",\"rdfs:label\":[\"NTFS Symbolic Link\"],\"skos:altLabel\":[\"NTFS Symlink\"]},{\"@id\":\"d3f:NamedPipe\",\"rdfs:label\":[\"Named Pipe\"]},{\"@id\":\"d3f:Network\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WideAreaNetwork\"},{\"@id\":\"d3f:InternetNetwork\"},{\"@id\":\"d3f:IntranetNetwork\"},{\"@id\":\"d3f:LocalAreaNetwork\"}],\"rdfs:label\":[\"Network\"],\"skos:altLabel\":[\"Computer Network\"]},{\"@id\":\"d3f:NetworkCardFirmware\",\"rdfs:label\":[\"Network Card Firmware\"],\"skos:altLabel\":[\"Network Controller Firmware\"]},{\"@id\":\"d3f:NetworkDirectoryResource\",\"rdfs:label\":[\"Network Directory Resource\"]},{\"@id\":\"d3f:NetworkFileResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkInitScriptFileResource\"},{\"@id\":\"d3f:WebFileResource\"}],\"rdfs:label\":[\"Network File Resource\"]},{\"@id\":\"d3f:NetworkFileShareResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkDirectoryResource\"},{\"@id\":\"d3f:NetworkFileResource\"}],\"rdfs:label\":[\"Network File Share Resource\"]},{\"@id\":\"d3f:NetworkFlow\",\"rdfs:label\":[\"Network Flow\"]},{\"@id\":\"d3f:NetworkFlowSensor\",\"rdfs:label\":[\"Network Flow Sensor\"]},{\"@id\":\"d3f:NetworkInitScriptFileResource\",\"rdfs:label\":[\"Network Init Script File Resource\"]},{\"@id\":\"d3f:NetworkInterfaceCard\",\"rdfs:label\":[\"Network Interface Card\"]},{\"@id\":\"d3f:NetworkLink\",\"rdfs:label\":[\"Network Link\"]},{\"@id\":\"d3f:NetworkNode\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RFNode\"},{\"@id\":\"d3f:ComputerNetworkNode\"}],\"rdfs:label\":[\"Network Node\"]},{\"@id\":\"d3f:NetworkPackets\",\"rdfs:label\":[\"Network Packet\"]},{\"@id\":\"d3f:NetworkPrinter\",\"rdfs:label\":[\"Network Printer\"]},{\"@id\":\"d3f:NetworkProtocolAnalyzer\",\"rdfs:label\":[\"Network Protocol Analyzer\"]},{\"@id\":\"d3f:NetworkResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkFileShareResource\"},{\"@id\":\"d3f:WebResource\"}],\"rdfs:label\":[\"Network Resource\"],\"skos:altLabel\":[\"Shared Resource\"]},{\"@id\":\"d3f:NetworkResourceAccess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebResourceAccess\"}],\"rdfs:label\":[\"Network Resource Access\"]},{\"@id\":\"d3f:NetworkScanner\",\"rdfs:label\":[\"Network Scanner\"],\"skos:altLabel\":[\"Network Enumerator\"]},{\"@id\":\"d3f:NetworkSensor\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkFlowSensor\"},{\"@id\":\"d3f:NetworkProtocolAnalyzer\"}],\"rdfs:label\":[\"Network Sensor\"]},{\"@id\":\"d3f:NetworkService\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AuthorizationService\"},{\"@id\":\"d3f:DirectoryService\"},{\"@id\":\"d3f:FileShareService\"},{\"@id\":\"d3f:MailService\"},{\"@id\":\"d3f:RemoteAuthenticationService\"}],\"rdfs:label\":[\"Network Service\"]},{\"@id\":\"d3f:NetworkSession\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RemoteLoginSession\"},{\"@id\":\"d3f:RemoteSession\"},{\"@id\":\"d3f:RemoteTerminalSession\"}],\"rdfs:label\":[\"Network Session\"]},{\"@id\":\"d3f:NetworkTimeServer\",\"rdfs:label\":[\"Network Time Server\"]},{\"@id\":\"d3f:NetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebNetworkTraffic\"},{\"@id\":\"d3f:DHCPNetworkTraffic\"},{\"@id\":\"d3f:TFTPNetworkTraffic\"},{\"@id\":\"d3f:AdministrativeNetworkTraffic\"},{\"@id\":\"d3f:DNSNetworkTraffic\"},{\"@id\":\"d3f:FileTransferNetworkTraffic\"},{\"@id\":\"d3f:InboundNetworkTraffic\"},{\"@id\":\"d3f:InternetNetworkTraffic\"},{\"@id\":\"d3f:IntranetNetworkTraffic\"},{\"@id\":\"d3f:IPCNetworkTraffic\"},{\"@id\":\"d3f:MailNetworkTraffic\"},{\"@id\":\"d3f:OutboundNetworkTraffic\"},{\"@id\":\"d3f:RPCNetworkTraffic\"}],\"rdfs:label\":[\"Network Traffic\"],\"skos:altLabel\":[\"Data Traffic\"]},{\"@id\":\"d3f:NetworkTrafficAnalysisSoftware\",\"rdfs:label\":[\"Network Traffic Analysis Software\"],\"skos:altLabel\":[\"Network Sniffer\"]},{\"@id\":\"d3f:OSAPIAccessProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEATTACH\"}],\"rdfs:label\":[\"OS API Access Process\"]},{\"@id\":\"d3f:OSAPIAllocateMemory\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsVirtualAllocEx\"},{\"@id\":\"d3f:WindowsVirtualProtectEx\"},{\"@id\":\"d3f:LinuxMmap\"},{\"@id\":\"d3f:LinuxMmap2\"},{\"@id\":\"d3f:WindowsNtAllocateVirtualMemory\"},{\"@id\":\"d3f:WindowsNtAllocateVirtualMemoryEx\"},{\"@id\":\"d3f:WindowsNtProtectVirtualMemory\"}],\"rdfs:label\":[\"OS API Allocate Memory\"]},{\"@id\":\"d3f:OSAPIConnectSocket\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxConnect\"},{\"@id\":\"d3f:LinuxSocketcallArgumentSYS_CONNECT\"}],\"rdfs:label\":[\"OS API Connect Socket\"]},{\"@id\":\"d3f:OSAPICopyToken\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsNtDuplicateToken\"},{\"@id\":\"d3f:WindowsDuplicateToken\"}],\"rdfs:label\":[\"OS API Copy Token\"]},{\"@id\":\"d3f:OSAPICreateFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxCreat\"},{\"@id\":\"d3f:LinuxOpenArgumentO_CREAT\"},{\"@id\":\"d3f:LinuxOpenAt2ArgumentO_CREAT\"},{\"@id\":\"d3f:LinuxOpenAtArgumentO_CREAT\"},{\"@id\":\"d3f:WindowsNtCreateFile\"},{\"@id\":\"d3f:WindowsNtCreateMailslotFile\"},{\"@id\":\"d3f:WindowsNtCreateNamedPipeFile\"},{\"@id\":\"d3f:WindowsNtCreatePagingFile\"},{\"@id\":\"d3f:WindowOpenFile\"},{\"@id\":\"d3f:WindowsCreateFileA\"}],\"rdfs:label\":[\"OS API Create File\"]},{\"@id\":\"d3f:OSAPICreateProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxClone\"},{\"@id\":\"d3f:LinuxClone3\"},{\"@id\":\"d3f:LinuxFork\"},{\"@id\":\"d3f:LinuxVfork\"},{\"@id\":\"d3f:WindowsNtCreateProcess\"},{\"@id\":\"d3f:WindowsNtCreateProcessEx\"},{\"@id\":\"d3f:WindowsCreateProcessA\"}],\"rdfs:label\":[\"OS API Create Process\"]},{\"@id\":\"d3f:OSAPICreateSocket\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxSocket\"},{\"@id\":\"d3f:LinuxSocketcallArgumentSYS_SOCKET\"}],\"rdfs:label\":[\"OS API Create Socket\"]},{\"@id\":\"d3f:OSAPICreateThread\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsCreateThread\"},{\"@id\":\"d3f:LinuxClone3ArgumentCLONE_THREAD\"},{\"@id\":\"d3f:LinuxCloneArgumentCLONE_THREAD\"},{\"@id\":\"d3f:WindowsNtCreateThread\"},{\"@id\":\"d3f:WindowsNtCreateThreadEx\"},{\"@id\":\"d3f:WindowsCreateRemoteThread\"}],\"rdfs:label\":[\"OS API Create Thread\"]},{\"@id\":\"d3f:OSAPIDeleteFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsDeleteFile\"},{\"@id\":\"d3f:LinuxUnlink\"},{\"@id\":\"d3f:LinuxUnlinkat\"},{\"@id\":\"d3f:WindowsNtDeleteFile\"},{\"@id\":\"d3f:WindowsNtSetInformationFileArgumentFileDispositionInformation\"}],\"rdfs:label\":[\"OS API Delete File\"]},{\"@id\":\"d3f:OSAPIExec\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxExecve\"},{\"@id\":\"d3f:LinuxExecveat\"}],\"rdfs:label\":[\"OS API Exec\"]},{\"@id\":\"d3f:OSAPIFreeMemory\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsVirtualFree\"},{\"@id\":\"d3f:LinuxMunmap\"},{\"@id\":\"d3f:WindowsNtFreeVirtualMemory\"}],\"rdfs:label\":[\"OS API Free Memory\"]},{\"@id\":\"d3f:OSAPIFunction\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OSAPISystemFunction\"}],\"rdfs:label\":[\"OS API Function\"]},{\"@id\":\"d3f:OSAPIGetSystemTime\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsQueryPerformanceCounter\"},{\"@id\":\"d3f:LinuxTime\"},{\"@id\":\"d3f:WindowsNtQuerySystemTime\"}],\"rdfs:label\":[\"OS API Get System Time\"]},{\"@id\":\"d3f:OSAPIGetThreadContext\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsNTGetThreadContext\"},{\"@id\":\"d3f:WindowsGetThreadContext\"}],\"rdfs:label\":[\"OS API Get Thread Context\"]},{\"@id\":\"d3f:OSAPILoadModule\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxInitModule\"}],\"rdfs:label\":[\"OS API Load Module\"]},{\"@id\":\"d3f:OSAPIMoveFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxRename\"},{\"@id\":\"d3f:LinuxRenameat\"},{\"@id\":\"d3f:LinuxRenameat2\"}],\"rdfs:label\":[\"OS API Move File\"]},{\"@id\":\"d3f:OSAPIOpenFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowOpenFile\"},{\"@id\":\"d3f:WindowsCreateFileA\"},{\"@id\":\"d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR\"},{\"@id\":\"d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR\"},{\"@id\":\"d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR\"},{\"@id\":\"d3f:WindowsNtOpenFile\"}],\"rdfs:label\":[\"OS API Open File\"]},{\"@id\":\"d3f:OSAPIReadFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxRead\"},{\"@id\":\"d3f:LinuxReadv\"},{\"@id\":\"d3f:WindowsNtReadFile\"},{\"@id\":\"d3f:WindowsNtReadFileScatter\"},{\"@id\":\"d3f:WindowsReadFile\"}],\"rdfs:label\":[\"OS API Read File\"]},{\"@id\":\"d3f:OSAPIReadMemory\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEPEEKTEXT\"}],\"rdfs:label\":[\"OS API Read Memory\"]},{\"@id\":\"d3f:OSAPIResumeProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACE_DETACH\"},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACECONT\"}],\"rdfs:label\":[\"OS API Resume Process\"]},{\"@id\":\"d3f:OSAPIResumeThread\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsNtResumeThread\"},{\"@id\":\"d3f:WindowsResumeThread\"}],\"rdfs:label\":[\"OS API Resume Thread\"]},{\"@id\":\"d3f:OSAPISaveRegisters\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEGETREGS\"}],\"rdfs:label\":[\"OS API Save Registers\"]},{\"@id\":\"d3f:OSAPISetRegisters\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACESETREGS\"}],\"rdfs:label\":[\"OS API Set Registers\"]},{\"@id\":\"d3f:OSAPISetThreadContext\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsNtSetThreadContext\"},{\"@id\":\"d3f:WindowsSetThreadContext\"}],\"rdfs:label\":[\"OS API Set Thread Context\"]},{\"@id\":\"d3f:OSAPISuspendProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPauseProcess\"},{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEINTERRUPT\"},{\"@id\":\"d3f:WindowsNtSuspendProcess\"}],\"rdfs:label\":[\"OS API Suspend Process\"]},{\"@id\":\"d3f:OSAPISuspendThread\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPauseThread\"},{\"@id\":\"d3f:WindowsNtSuspendThread\"},{\"@id\":\"d3f:WindowsSuspendThread\"}],\"rdfs:label\":[\"OS API Suspend Thread\"]},{\"@id\":\"d3f:OSAPISystemFunction\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OSAPIAllocateMemory\"},{\"@id\":\"d3f:OSAPIConnectSocket\"},{\"@id\":\"d3f:OSAPICreateFile\"},{\"@id\":\"d3f:OSAPIDeleteFile\"},{\"@id\":\"d3f:OSAPIExec\"},{\"@id\":\"d3f:OSAPIFreeMemory\"},{\"@id\":\"d3f:OSAPIGetSystemTime\"},{\"@id\":\"d3f:OSAPIMoveFile\"},{\"@id\":\"d3f:OSAPIOpenFile\"},{\"@id\":\"d3f:OSAPIReadFile\"},{\"@id\":\"d3f:OSAPISuspendProcess\"},{\"@id\":\"d3f:OSAPISuspendThread\"},{\"@id\":\"d3f:OSAPITerminateProcess\"},{\"@id\":\"d3f:OSAPITraceProcess\"},{\"@id\":\"d3f:OSAPIWriteFile\"},{\"@id\":\"d3f:OSAPICopyToken\"},{\"@id\":\"d3f:OSAPIAccessProcess\"},{\"@id\":\"d3f:OSAPIReadMemory\"},{\"@id\":\"d3f:OSAPILoadModule\"},{\"@id\":\"d3f:OSAPIUnloadModule\"},{\"@id\":\"d3f:OSAPICreateProcess\"},{\"@id\":\"d3f:OSAPICreateSocket\"},{\"@id\":\"d3f:OSAPICreateThread\"},{\"@id\":\"d3f:OSAPIResumeProcess\"},{\"@id\":\"d3f:OSAPISaveRegisters\"},{\"@id\":\"d3f:OSAPISetRegisters\"},{\"@id\":\"d3f:OSAPIWriteMemory\"},{\"@id\":\"d3f:OSAPIGetThreadContext\"},{\"@id\":\"d3f:OSAPIResumeThread\"},{\"@id\":\"d3f:OSAPISetThreadContext\"},{\"@id\":\"d3f:OSAPITraceThread\"}],\"rdfs:label\":[\"OS API System Function\"]},{\"@id\":\"d3f:OSAPITerminateProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Linux_Exit\"},{\"@id\":\"d3f:LinuxKillArgumentSIGKILL\"},{\"@id\":\"d3f:WindowsNtTerminateProcess\"},{\"@id\":\"d3f:WindowsTerminateProcess\"}],\"rdfs:label\":[\"OS API Terminate Process\"]},{\"@id\":\"d3f:OSAPITraceProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACE_TRACEME\"},{\"@id\":\"d3f:WindowsNtOpenProcess\"},{\"@id\":\"d3f:WindowsOpenProcess\"}],\"rdfs:label\":[\"OS API Trace Process\"]},{\"@id\":\"d3f:OSAPITraceThread\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsNtOpenThread\"},{\"@id\":\"d3f:WindowsOpenThread\"}],\"rdfs:label\":[\"OS API Trace Thread\"]},{\"@id\":\"d3f:OSAPIUnloadModule\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxDeleteModule\"}],\"rdfs:label\":[\"OS API Unload Module\"]},{\"@id\":\"d3f:OSAPIWriteFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxWrite\"},{\"@id\":\"d3f:LinuxWritev\"},{\"@id\":\"d3f:WindowsNtWriteFile\"},{\"@id\":\"d3f:WindowsNtWriteFileGather\"},{\"@id\":\"d3f:WindowsWriteFile\"}],\"rdfs:label\":[\"OS API Write File\"]},{\"@id\":\"d3f:OSAPIWriteMemory\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LinuxPtraceArgumentPTRACEPOKETEXT\"},{\"@id\":\"d3f:WindowsNtFlushInstructionCache\"},{\"@id\":\"d3f:WindowsNtWriteVirtualMemory\"},{\"@id\":\"d3f:WindowsWriteProcessMemory\"}],\"rdfs:label\":[\"OS API Write Memory\"]},{\"@id\":\"d3f:OTActuator\",\"rdfs:label\":[\"OT Actuator\"]},{\"@id\":\"d3f:OTController\",\"rdfs:label\":[\"OT Controller\"]},{\"@id\":\"d3f:OTEmbeddedComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTController\"}],\"rdfs:label\":[\"OT Embedded Computer\"]},{\"@id\":\"d3f:OTIOModule\",\"rdfs:label\":[\"OT I/O Module\"]},{\"@id\":\"d3f:OTPowerSupply\",\"rdfs:label\":[\"OT Power Supply\"]},{\"@id\":\"d3f:OTSensor\",\"rdfs:label\":[\"OT Sensor\"]},{\"@id\":\"d3f:ObjectFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KernelModule\"},{\"@id\":\"d3f:SharedLibraryFile\"}],\"rdfs:label\":[\"Object File\"]},{\"@id\":\"d3f:OfficeApplication\",\"rdfs:label\":[\"Office Application\"]},{\"@id\":\"d3f:OfficeApplicationFile\",\"rdfs:label\":[\"Office Application File\"]},{\"@id\":\"d3f:OpenFile\",\"rdfs:label\":[\"Open File\"]},{\"@id\":\"d3f:OperatingSystem\",\"rdfs:label\":[\"Operating System\"]},{\"@id\":\"d3f:OperatingSystemConfiguration\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OperatingSystemConfigurationComponent\"}],\"rdfs:label\":[\"Operating System Configuration\"]},{\"@id\":\"d3f:OperatingSystemConfigurationComponent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SystemConfigurationDatabaseRecord\"},{\"@id\":\"d3f:SystemFirewallConfiguration\"},{\"@id\":\"d3f:SystemInitConfiguration\"}],\"rdfs:label\":[\"Operating System Configuration Component\"],\"skos:altLabel\":[\"Operating System Configuration Information\",\"System Configuration\"]},{\"@id\":\"d3f:OperatingSystemConfigurationFile\",\"rdfs:label\":[\"Operating System Configuration File\"],\"skos:altLabel\":[\"System Configuration File\"]},{\"@id\":\"d3f:OperatingSystemExecutableFile\",\"rdfs:label\":[\"Operating System Executable File\"]},{\"@id\":\"d3f:OperatingSystemFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OperatingSystemConfigurationFile\"},{\"@id\":\"d3f:OperatingSystemExecutableFile\"},{\"@id\":\"d3f:OperatingSystemLogFile\"},{\"@id\":\"d3f:OperatingSystemSharedLibraryFile\"}],\"rdfs:label\":[\"Operating System File\"]},{\"@id\":\"d3f:OperatingSystemLogFile\",\"rdfs:label\":[\"Operating System Log File\"]},{\"@id\":\"d3f:OperatingSystemPackagingTool\",\"rdfs:label\":[\"Operating System Packaging Tool\"]},{\"@id\":\"d3f:OperatingSystemProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ScheduledJob\"},{\"@id\":\"d3f:SystemInitProcess\"}],\"rdfs:label\":[\"Operating System Process\"],\"skos:altLabel\":[\"System Process\"]},{\"@id\":\"d3f:OperatingSystemSharedLibraryFile\",\"rdfs:label\":[\"Operating System Shared Library File\"]},{\"@id\":\"d3f:OperationsCenterComputer\",\"rdfs:label\":[\"Operations Center Computer\"],\"skos:altLabel\":[\"Mainframe\"]},{\"@id\":\"d3f:OpticalDiscImage\",\"rdfs:label\":[\"Optical Disc Image\"]},{\"@id\":\"d3f:OpticalModem\",\"rdfs:label\":[\"Optical Modem\"]},{\"@id\":\"d3f:OrchestrationController\",\"rdfs:label\":[\"Orchestration Controller\"]},{\"@id\":\"d3f:OrchestrationServer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OrchestrationController\"},{\"@id\":\"d3f:OrchestrationWorker\"}],\"rdfs:label\":[\"Orchestration Server\"]},{\"@id\":\"d3f:OrchestrationWorker\",\"rdfs:label\":[\"Orchestration Worker\"]},{\"@id\":\"d3f:OutboundInternetDNSLookupTraffic\",\"rdfs:label\":[\"Outbound Internet DNS Lookup Traffic\"]},{\"@id\":\"d3f:OutboundInternetEncryptedRemoteTerminalTraffic\",\"rdfs:label\":[\"Outbound Internet Encrypted Remote Terminal Traffic\"],\"skos:altLabel\":[\"Outbound Internet Encrypted RDP Traffic\",\"Outbound Internet Encrypted SSH Traffic\"]},{\"@id\":\"d3f:OutboundInternetEncryptedTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetEncryptedWebTraffic\"},{\"@id\":\"d3f:OutboundInternetEncryptedRemoteTerminalTraffic\"}],\"rdfs:label\":[\"Outbound Internet Encrypted Traffic\"]},{\"@id\":\"d3f:OutboundInternetEncryptedWebTraffic\",\"rdfs:label\":[\"Outbound Internet Encrypted Web Traffic\"]},{\"@id\":\"d3f:OutboundInternetFileTransferTraffic\",\"rdfs:label\":[\"Outbound Internet File Transfer Traffic\"]},{\"@id\":\"d3f:OutboundInternetMailTraffic\",\"rdfs:label\":[\"Outbound Internet Mail Traffic\"],\"skos:altLabel\":[\"Outbound Internet Email Traffic\"]},{\"@id\":\"d3f:OutboundInternetNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetDNSLookupTraffic\"},{\"@id\":\"d3f:OutboundInternetFileTransferTraffic\"},{\"@id\":\"d3f:OutboundInternetRPCTraffic\"},{\"@id\":\"d3f:OutboundInternetWebTraffic\"},{\"@id\":\"d3f:OutboundInternetEncryptedTraffic\"},{\"@id\":\"d3f:OutboundInternetMailTraffic\"}],\"rdfs:label\":[\"Outbound Internet Network Traffic\"]},{\"@id\":\"d3f:OutboundInternetRPCTraffic\",\"rdfs:label\":[\"Outbound Internet RPC Traffic\"]},{\"@id\":\"d3f:OutboundInternetWebTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetEncryptedWebTraffic\"}],\"rdfs:label\":[\"Outbound Internet Web Traffic\"]},{\"@id\":\"d3f:OutboundNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetDNSLookupTraffic\"},{\"@id\":\"d3f:OutboundInternetFileTransferTraffic\"},{\"@id\":\"d3f:OutboundInternetNetworkTraffic\"},{\"@id\":\"d3f:OutboundInternetRPCTraffic\"}],\"rdfs:label\":[\"Outbound Network Traffic\"]},{\"@id\":\"d3f:OutputDevice\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Actuator\"},{\"@id\":\"d3f:DisplayAdapter\"}],\"rdfs:label\":[\"Output Device\"]},{\"@id\":\"d3f:POSIXSymbolicLink\",\"rdfs:label\":[\"POSIX Symbolic Link\"]},{\"@id\":\"d3f:PacketLog\",\"rdfs:label\":[\"Packet Log\"]},{\"@id\":\"d3f:Page\",\"rdfs:label\":[\"Page\"]},{\"@id\":\"d3f:PageFrame\",\"rdfs:label\":[\"Page Frame\"]},{\"@id\":\"d3f:PageTable\",\"rdfs:label\":[\"Page Table\"]},{\"@id\":\"d3f:ParentProcess\",\"rdfs:label\":[\"Parent Process\"]},{\"@id\":\"d3f:Partition\",\"rdfs:label\":[\"Partition\"],\"skos:altLabel\":[\"Disk Partition\",\"Disk Slice\"]},{\"@id\":\"d3f:PartitionTable\",\"rdfs:label\":[\"Partition Table\"]},{\"@id\":\"d3f:Password\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:EncryptedPassword\"}],\"rdfs:label\":[\"Password\"],\"skos:altLabel\":[\"Passcode\"]},{\"@id\":\"d3f:PasswordDatabase\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PasswordFile\"},{\"@id\":\"d3f:PasswordStore\"},{\"@id\":\"d3f:SystemPasswordDatabase\"}],\"rdfs:label\":[\"Password Database\"]},{\"@id\":\"d3f:PasswordFile\",\"rdfs:label\":[\"Password File\"]},{\"@id\":\"d3f:PasswordManager\",\"rdfs:label\":[\"Password Manager\"]},{\"@id\":\"d3f:PasswordStore\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:In-memoryPasswordStore\"},{\"@id\":\"d3f:MacOSKeychain\"}],\"rdfs:label\":[\"Password Store\"]},{\"@id\":\"d3f:PeripheralFirmware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:GraphicsCardFirmware\"},{\"@id\":\"d3f:HardDiskFirmware\"},{\"@id\":\"d3f:HumanInputDeviceFirmware\"},{\"@id\":\"d3f:NetworkCardFirmware\"},{\"@id\":\"d3f:PeripheralHubFirmware\"}],\"rdfs:label\":[\"Peripheral Firmware\"]},{\"@id\":\"d3f:PeripheralHubFirmware\",\"rdfs:label\":[\"Peripheral Hub Firmware\"],\"skos:altLabel\":[\"USB Hub Firmware\"]},{\"@id\":\"d3f:PersonalComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DesktopComputer\"},{\"@id\":\"d3f:IPPhone\"},{\"@id\":\"d3f:LaptopComputer\"},{\"@id\":\"d3f:MobilePhone\"},{\"@id\":\"d3f:TabletComputer\"}],\"rdfs:label\":[\"Personal Computer\"]},{\"@id\":\"d3f:PhysicalAddress\",\"rdfs:label\":[\"Physical Address\"]},{\"@id\":\"d3f:PhysicalLink\",\"rdfs:label\":[\"Physical Link\"]},{\"@id\":\"d3f:Pipe\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AnonymousPipe\"},{\"@id\":\"d3f:NamedPipe\"}],\"rdfs:label\":[\"Pipe\"],\"skos:altLabel\":[\"Pipeline\"]},{\"@id\":\"d3f:Pointer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SavedInstructionPointer\"}],\"rdfs:label\":[\"Pointer\"]},{\"@id\":\"d3f:PointerDereferencingFunction\",\"rdfs:label\":[\"Pointer Dereferencing Function\"]},{\"@id\":\"d3f:PowerShellProfileScript\",\"rdfs:label\":[\"PowerShell Profile Script\"]},{\"@id\":\"d3f:PowerSupply\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTPowerSupply\"}],\"rdfs:label\":[\"Power Supply\"]},{\"@id\":\"d3f:PrimaryStorage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RAM\"},{\"@id\":\"d3f:ROM\"},{\"@id\":\"d3f:CacheMemory\"},{\"@id\":\"d3f:ProcessorRegister\"}],\"rdfs:label\":[\"Primary Storage\"]},{\"@id\":\"d3f:PrintServer\",\"rdfs:label\":[\"Print Server\"]},{\"@id\":\"d3f:PrivateKey\",\"rdfs:label\":[\"Private Key\"]},{\"@id\":\"d3f:PrivilegedUserAccount\",\"rdfs:label\":[\"Privileged User Account\"]},{\"@id\":\"d3f:Process\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserProcess\"},{\"@id\":\"d3f:ChildProcess\"},{\"@id\":\"d3f:OperatingSystemProcess\"},{\"@id\":\"d3f:ParentProcess\"}],\"rdfs:label\":[\"Process\"]},{\"@id\":\"d3f:ProcessCodeSegment\",\"rdfs:label\":[\"Process Code Segment\"],\"skos:altLabel\":[\"Process Text Segment\"]},{\"@id\":\"d3f:ProcessDataSegment\",\"rdfs:label\":[\"Process Data Segment\"]},{\"@id\":\"d3f:ProcessEnvironmentVariable\",\"rdfs:label\":[\"Process Environment Variable\"],\"skos:altLabel\":[\"Environment Variable\"]},{\"@id\":\"d3f:ProcessImage\",\"rdfs:label\":[\"Process Image\"]},{\"@id\":\"d3f:ProcessSegment\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:HeapSegment\"},{\"@id\":\"d3f:ProcessCodeSegment\"},{\"@id\":\"d3f:ProcessDataSegment\"},{\"@id\":\"d3f:StackSegment\"}],\"rdfs:label\":[\"Process Segment\"]},{\"@id\":\"d3f:ProcessStartFunction\",\"rdfs:label\":[\"Process Start Function\"]},{\"@id\":\"d3f:ProcessTree\",\"rdfs:label\":[\"Process Tree\"]},{\"@id\":\"d3f:Processor\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:GraphicsProcessingUnit\"},{\"@id\":\"d3f:CentralProcessingUnit\"}],\"rdfs:label\":[\"Processor\"]},{\"@id\":\"d3f:ProcessorComponent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:MemoryManagementUnit\"},{\"@id\":\"d3f:MemoryProtectionUnit\"}],\"rdfs:label\":[\"Processor Component\"]},{\"@id\":\"d3f:ProcessorRegister\",\"rdfs:label\":[\"Processor Register\"]},{\"@id\":\"d3f:PropertyListFile\",\"rdfs:label\":[\"Property List File\"],\"skos:altLabel\":[\"Plist File\"]},{\"@id\":\"d3f:ProxyServer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ForwardProxyServer\"},{\"@id\":\"d3f:ReverseProxyServer\"}],\"rdfs:label\":[\"Proxy Server\"]},{\"@id\":\"d3f:PublicKey\",\"rdfs:label\":[\"Public Key\"]},{\"@id\":\"d3f:PythonPackage\",\"rdfs:label\":[\"Python Package\"]},{\"@id\":\"d3f:PythonScriptFile\",\"rdfs:label\":[\"Python Script File\"]},{\"@id\":\"d3f:RAM\",\"rdfs:label\":[\"RAM\"]},{\"@id\":\"d3f:RDPSession\",\"rdfs:label\":[\"RDP Session\"],\"skos:altLabel\":[\"Remote Desktop Session\",\"Terminal Services\"]},{\"@id\":\"d3f:RFNode\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RFReceiver\"},{\"@id\":\"d3f:RFTransmitter\"},{\"@id\":\"d3f:RFTransceiver\"}],\"rdfs:label\":[\"RF Node\"]},{\"@id\":\"d3f:RFReceiver\",\"rdfs:label\":[\"RF Receiver\"]},{\"@id\":\"d3f:RFTransceiver\",\"rdfs:label\":[\"RF Transceiver\"]},{\"@id\":\"d3f:RFTransmitter\",\"rdfs:label\":[\"RF Transmitter\"]},{\"@id\":\"d3f:ROM\",\"rdfs:label\":[\"ROM\"]},{\"@id\":\"d3f:RPCNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetRPCTraffic\"},{\"@id\":\"d3f:IntranetRPCNetworkTraffic\"}],\"rdfs:label\":[\"RPC Network Traffic\"]},{\"@id\":\"d3f:RadioModem\",\"rdfs:label\":[\"Radio Modem\"]},{\"@id\":\"d3f:RawMemoryAccessFunction\",\"rdfs:label\":[\"Raw Memory Access Function\"]},{\"@id\":\"d3f:ReadFile\",\"rdfs:label\":[\"Read File\"]},{\"@id\":\"d3f:ReadMemory\",\"rdfs:label\":[\"Read Memory\"]},{\"@id\":\"d3f:Record\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:BootRecord\"},{\"@id\":\"d3f:DNSRecord\"},{\"@id\":\"d3f:DigitalEventRecord\"},{\"@id\":\"d3f:SystemUtilizationRecord\"},{\"@id\":\"d3f:ConfigurationDatabaseRecord\"}],\"rdfs:label\":[\"Record\"]},{\"@id\":\"d3f:RemoteAuthenticationService\",\"rdfs:label\":[\"Remote Authentication Service\"]},{\"@id\":\"d3f:RemoteAuthorizationService\",\"rdfs:label\":[\"Remote Authorization Service\"]},{\"@id\":\"d3f:RemoteCommand\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RemoteDatabaseQuery\"},{\"@id\":\"d3f:RemoteProcedureCall\"}],\"rdfs:label\":[\"Remote Command\"]},{\"@id\":\"d3f:RemoteDatabaseQuery\",\"rdfs:label\":[\"Remote Database Query\"]},{\"@id\":\"d3f:RemoteLoginSession\",\"rdfs:label\":[\"Remote Login Session\"]},{\"@id\":\"d3f:RemoteProcedureCall\",\"rdfs:label\":[\"Remote Procedure Call\"]},{\"@id\":\"d3f:RemoteResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:NetworkResource\"}],\"rdfs:label\":[\"Remote Resource\"]},{\"@id\":\"d3f:RemoteSession\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:RDPSession\"},{\"@id\":\"d3f:SSHSession\"}],\"rdfs:label\":[\"Remote Session\"]},{\"@id\":\"d3f:RemoteTerminalSession\",\"rdfs:label\":[\"Remote Terminal Session\"]},{\"@id\":\"d3f:RemovableMediaDevice\",\"rdfs:label\":[\"Removable Media Device\"]},{\"@id\":\"d3f:Repository\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SoftwareRepository\"}],\"rdfs:label\":[\"Repository\"]},{\"@id\":\"d3f:Resource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:File\"},{\"@id\":\"d3f:LocalResource\"},{\"@id\":\"d3f:RemoteResource\"},{\"@id\":\"d3f:ConfigurationResource\"}],\"rdfs:label\":[\"Resource\"]},{\"@id\":\"d3f:ResourceAccess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LocalResourceAccess\"},{\"@id\":\"d3f:NetworkResourceAccess\"}],\"rdfs:label\":[\"Resource Access\"]},{\"@id\":\"d3f:ResourceFork\",\"rdfs:label\":[\"Resource Fork\"]},{\"@id\":\"d3f:ResumeProcess\",\"rdfs:label\":[\"Resume Process\"]},{\"@id\":\"d3f:ResumeThread\",\"rdfs:label\":[\"Resume Thread\"]},{\"@id\":\"d3f:ReverseProxyServer\",\"rdfs:label\":[\"Reverse Proxy Server\"]},{\"@id\":\"d3f:Router\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WirelessRouter\"}],\"rdfs:label\":[\"Router\"]},{\"@id\":\"d3f:SSHSession\",\"rdfs:label\":[\"SSH Session\"]},{\"@id\":\"d3f:SaveRegister\",\"rdfs:label\":[\"Save Registers\"]},{\"@id\":\"d3f:SavedInstructionPointer\",\"rdfs:label\":[\"Saved Instruction Pointer\"]},{\"@id\":\"d3f:ScheduledJob\",\"rdfs:label\":[\"Scheduled Job\"]},{\"@id\":\"d3f:ScriptApplicationProcess\",\"rdfs:label\":[\"Script Application Process\"],\"skos:altLabel\":[\"Script Process\"]},{\"@id\":\"d3f:Second-stageBootLoader\",\"rdfs:label\":[\"Second-stage Boot Loader\"]},{\"@id\":\"d3f:SecondaryStorage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CloudStorage\"},{\"@id\":\"d3f:FlashMemory\"},{\"@id\":\"d3f:TertiaryStorage\"}],\"rdfs:label\":[\"Secondary Storage\"]},{\"@id\":\"d3f:SecurityToken\",\"rdfs:label\":[\"Security Token\"]},{\"@id\":\"d3f:Sensor\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OTSensor\"},{\"@id\":\"d3f:CyberSensor\"},{\"@id\":\"d3f:TransducerSensor\"}],\"rdfs:label\":[\"Sensor\"]},{\"@id\":\"d3f:SerializationFunction\",\"rdfs:label\":[\"Serialization Function\"]},{\"@id\":\"d3f:Server\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ProxyServer\"},{\"@id\":\"d3f:AuthenticationServer\"},{\"@id\":\"d3f:ComputingServer\"},{\"@id\":\"d3f:DatabaseServer\"},{\"@id\":\"d3f:DNSServer\"},{\"@id\":\"d3f:FileServer\"},{\"@id\":\"d3f:MailServer\"},{\"@id\":\"d3f:MediaServer\"},{\"@id\":\"d3f:OrchestrationServer\"},{\"@id\":\"d3f:PrintServer\"},{\"@id\":\"d3f:VPNServer\"},{\"@id\":\"d3f:WebServer\"},{\"@id\":\"d3f:DHCPServer\"},{\"@id\":\"d3f:TFTPServer\"},{\"@id\":\"d3f:NetworkTimeServer\"}],\"rdfs:label\":[\"Server\"]},{\"@id\":\"d3f:ServiceAccount\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KerberosTicketGrantingTicketAccount\"}],\"rdfs:label\":[\"Service Account\"]},{\"@id\":\"d3f:ServiceApplication\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ContainerOrchestrationSoftware\"},{\"@id\":\"d3f:ContainerRuntime\"},{\"@id\":\"d3f:CredentialManagementSystem\"},{\"@id\":\"d3f:SoftwareDeploymentTool\"},{\"@id\":\"d3f:VirtualizationSoftware\"},{\"@id\":\"d3f:WebServerApplication\"}],\"rdfs:label\":[\"Service Application\"]},{\"@id\":\"d3f:ServiceApplicationProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AuthenticationService\"},{\"@id\":\"d3f:AuthorizationService\"},{\"@id\":\"d3f:NetworkService\"}],\"rdfs:label\":[\"Service Application Process\"]},{\"@id\":\"d3f:ServiceDependency\",\"rdfs:label\":[\"Service Dependency\"]},{\"@id\":\"d3f:Session\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LoginSession\"},{\"@id\":\"d3f:NetworkSession\"}],\"rdfs:label\":[\"Session\"]},{\"@id\":\"d3f:SessionCookie\",\"rdfs:label\":[\"Session Cookie\"],\"skos:altLabel\":[\"In-memory Cookie\",\"Non-persistent Cookie\",\"Transient Cookie\",\"Web Session Cookie\"]},{\"@id\":\"d3f:SessionToken\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebAccessToken\"}],\"rdfs:label\":[\"Session Token\"]},{\"@id\":\"d3f:SetRegisters\",\"rdfs:label\":[\"Set Registers\"]},{\"@id\":\"d3f:SetSystemConfigValue\",\"rdfs:label\":[\"Set System Config Value\"]},{\"@id\":\"d3f:SetThreadContext\",\"rdfs:label\":[\"Set Thread Context\"]},{\"@id\":\"d3f:ShadowStack\",\"rdfs:label\":[\"Shadow Stack\"]},{\"@id\":\"d3f:SharedComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KioskComputer\"},{\"@id\":\"d3f:NetworkPrinter\"},{\"@id\":\"d3f:OperationsCenterComputer\"},{\"@id\":\"d3f:ThinClientComputer\"}],\"rdfs:label\":[\"Shared Computer\"]},{\"@id\":\"d3f:SharedLibraryFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OperatingSystemSharedLibraryFile\"}],\"rdfs:label\":[\"Shared Library File\"],\"skos:altLabel\":[\"Shared Library\",\"Shared Object\"]},{\"@id\":\"d3f:SharedResourceAccessFunction\",\"rdfs:label\":[\"Shared Resource Access Function\"]},{\"@id\":\"d3f:Shim\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationShim\"}],\"rdfs:label\":[\"Shim\"]},{\"@id\":\"d3f:ShimDatabase\",\"rdfs:label\":[\"Shim Database\"]},{\"@id\":\"d3f:ShortcutFile\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsShortcutFile\"}],\"rdfs:label\":[\"Shortcut File\"]},{\"@id\":\"d3f:SlowSymbolicLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Alias\"}],\"rdfs:label\":[\"Slow Symbolic Link\"],\"skos:altLabel\":[\"Slow Symlink\"]},{\"@id\":\"d3f:Software\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Application\"},{\"@id\":\"d3f:BootLoader\"},{\"@id\":\"d3f:Firmware\"},{\"@id\":\"d3f:Shim\"},{\"@id\":\"d3f:SoftwarePatch\"},{\"@id\":\"d3f:Subroutine\"},{\"@id\":\"d3f:SystemServiceSoftware\"},{\"@id\":\"d3f:SystemSoftware\"},{\"@id\":\"d3f:UtilitySoftware\"},{\"@id\":\"d3f:CollectorAgent\"},{\"@id\":\"d3f:SoftwareLibrary\"},{\"@id\":\"d3f:OSAPIFunction\"}],\"rdfs:label\":[\"Software\"]},{\"@id\":\"d3f:SoftwareArtifactServer\",\"rdfs:label\":[\"Software Artifact Server\"]},{\"@id\":\"d3f:SoftwareDeploymentTool\",\"rdfs:label\":[\"Software Deployment Tool\"]},{\"@id\":\"d3f:SoftwareLibrary\",\"rdfs:label\":[\"Software Library\"]},{\"@id\":\"d3f:SoftwareLibraryFile\",\"rdfs:label\":[\"Software Library File\"]},{\"@id\":\"d3f:SoftwarePackage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ContainerImage\"},{\"@id\":\"d3f:JavaArchive\"},{\"@id\":\"d3f:PythonPackage\"}],\"rdfs:label\":[\"Software Package\"]},{\"@id\":\"d3f:SoftwarePackagingTool\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ContainerBuildTool\"},{\"@id\":\"d3f:OperatingSystemPackagingTool\"}],\"rdfs:label\":[\"Software Packaging Tool\"]},{\"@id\":\"d3f:SoftwarePatch\",\"rdfs:label\":[\"Software Patch\"],\"skos:altLabel\":[\"Patch\"]},{\"@id\":\"d3f:SoftwareRepository\",\"rdfs:label\":[\"Software Repository\"],\"skos:altLabel\":[\"Package Repository\"]},{\"@id\":\"d3f:SourceCodeAnalyzerTool\",\"rdfs:label\":[\"Source Code Analyzer Tool\"]},{\"@id\":\"d3f:StackComponent\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SavedInstructionPointer\"},{\"@id\":\"d3f:StackFrame\"},{\"@id\":\"d3f:StackFrameCanary\"}],\"rdfs:label\":[\"Stack Component\"]},{\"@id\":\"d3f:StackFrame\",\"rdfs:label\":[\"Stack Frame\"],\"skos:altLabel\":[\"Activation Frame\",\"Activation Record\"]},{\"@id\":\"d3f:StackFrameCanary\",\"rdfs:label\":[\"Stack Frame Canary\"],\"skos:altLabel\":[\"Stack Canary\"]},{\"@id\":\"d3f:StackSegment\",\"rdfs:label\":[\"Stack Segment\"]},{\"@id\":\"d3f:StartupDirectory\",\"rdfs:label\":[\"Startup Directory\"]},{\"@id\":\"d3f:StaticAnalysisTool\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SourceCodeAnalyzerTool\"}],\"rdfs:label\":[\"Static Analysis Tool\"],\"skos:altLabel\":[\"Static Program Analysis Tool\"]},{\"@id\":\"d3f:Storage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PrimaryStorage\"},{\"@id\":\"d3f:SecondaryStorage\"}],\"rdfs:label\":[\"Storage\"]},{\"@id\":\"d3f:StorageImage\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DiskImage\"},{\"@id\":\"d3f:VMImage\"},{\"@id\":\"d3f:SystemStateImage\"}],\"rdfs:label\":[\"Storage Image\"]},{\"@id\":\"d3f:StorageSnapshot\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:VolumeSnapshot\"}],\"rdfs:label\":[\"Storage Snapshot\"]},{\"@id\":\"d3f:StoredProcedure\",\"rdfs:label\":[\"Stored Procedure\"]},{\"@id\":\"d3f:StringFormatFunction\",\"rdfs:label\":[\"String Format Function\"]},{\"@id\":\"d3f:Subroutine\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:StoredProcedure\"},{\"@id\":\"d3f:AuthenticationFunction\"},{\"@id\":\"d3f:ConsoleOutputFunction\"},{\"@id\":\"d3f:CopyMemoryFunction\"},{\"@id\":\"d3f:DeserializationFunction\"},{\"@id\":\"d3f:EvalFunction\"},{\"@id\":\"d3f:ExternalContentInclusionFunction\"},{\"@id\":\"d3f:FilePathOpenFunction\"},{\"@id\":\"d3f:ImportLibraryFunction\"},{\"@id\":\"d3f:LogMessageFunction\"},{\"@id\":\"d3f:MathematicalFunction\"},{\"@id\":\"d3f:MemoryAllocationFunction\"},{\"@id\":\"d3f:MemoryFreeFunction\"},{\"@id\":\"d3f:PointerDereferencingFunction\"},{\"@id\":\"d3f:ProcessStartFunction\"},{\"@id\":\"d3f:RawMemoryAccessFunction\"},{\"@id\":\"d3f:SerializationFunction\"},{\"@id\":\"d3f:SharedResourceAccessFunction\"},{\"@id\":\"d3f:StringFormatFunction\"},{\"@id\":\"d3f:ThreadStartFunction\"},{\"@id\":\"d3f:InputFunction\"},{\"@id\":\"d3f:ExceptionHandler\"}],\"rdfs:label\":[\"Subroutine\"]},{\"@id\":\"d3f:SuspendProcess\",\"rdfs:label\":[\"Suspend Process\"]},{\"@id\":\"d3f:SuspendThread\",\"rdfs:label\":[\"Suspend Thread\"]},{\"@id\":\"d3f:Switch\",\"rdfs:label\":[\"Switch\"],\"skos:altLabel\":[\"Bridging Hub\",\"MAC Bridge\",\"Network Switch\",\"Switching Hub\"]},{\"@id\":\"d3f:SymbolicLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:POSIXSymbolicLink\"},{\"@id\":\"d3f:SlowSymbolicLink\"},{\"@id\":\"d3f:NTFSJunctionPoint\"},{\"@id\":\"d3f:NTFSSymbolicLink\"},{\"@id\":\"d3f:FastSymbolicLink\"}],\"rdfs:label\":[\"Symbolic Link\"],\"skos:altLabel\":[\"Soft Link\",\"Softlink\",\"Symlink\"]},{\"@id\":\"d3f:SymmetricKey\",\"rdfs:label\":[\"Symmetric Key\"]},{\"@id\":\"d3f:SystemCall\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:AuthenticateUser\"},{\"@id\":\"d3f:ConnectSocket\"},{\"@id\":\"d3f:CopyToken\"},{\"@id\":\"d3f:CreateFile\"},{\"@id\":\"d3f:CreateProcess\"},{\"@id\":\"d3f:CreateSocket\"},{\"@id\":\"d3f:CreateThread\"},{\"@id\":\"d3f:GetSystemTime\"},{\"@id\":\"d3f:ImpersonateUser\"},{\"@id\":\"d3f:LogonUser\"},{\"@id\":\"d3f:MoveFile\"},{\"@id\":\"d3f:OpenFile\"},{\"@id\":\"d3f:ReadFile\"},{\"@id\":\"d3f:TerminateProcess\"},{\"@id\":\"d3f:TraceProcess\"},{\"@id\":\"d3f:WriteFile\"},{\"@id\":\"d3f:GetOpenWindows\"},{\"@id\":\"d3f:SystemConfigSystemCall\"},{\"@id\":\"d3f:GetOpenSockets\"},{\"@id\":\"d3f:GetRunningProcesses\"},{\"@id\":\"d3f:GetScreenCapture\"},{\"@id\":\"d3f:SuspendProcess\"},{\"@id\":\"d3f:AllocateMemory\"},{\"@id\":\"d3f:FreeMemory\"},{\"@id\":\"d3f:DeleteFile\"},{\"@id\":\"d3f:SuspendThread\"},{\"@id\":\"d3f:Exec\"},{\"@id\":\"d3f:AccessProcess\"},{\"@id\":\"d3f:GetThreadContext\"},{\"@id\":\"d3f:ReadMemory\"},{\"@id\":\"d3f:ResumeThread\"},{\"@id\":\"d3f:SaveRegister\"},{\"@id\":\"d3f:SetRegisters\"},{\"@id\":\"d3f:SetThreadContext\"},{\"@id\":\"d3f:TraceThread\"},{\"@id\":\"d3f:ResumeProcess\"},{\"@id\":\"d3f:WriteMemory\"},{\"@id\":\"d3f:LoadModule\"},{\"@id\":\"d3f:UnloadModule\"}],\"rdfs:label\":[\"System Call\"]},{\"@id\":\"d3f:SystemConfigSystemCall\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:GetSystemConfigValue\"},{\"@id\":\"d3f:SetSystemConfigValue\"}],\"rdfs:label\":[\"System Config System Call\"]},{\"@id\":\"d3f:SystemConfigurationDatabase\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsRegistry\"}],\"rdfs:label\":[\"System Configuration Database\"]},{\"@id\":\"d3f:SystemConfigurationDatabaseRecord\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WindowsRegistryKey\"},{\"@id\":\"d3f:WindowsRegistryValue\"},{\"@id\":\"d3f:SystemConfigurationInitDatabaseRecord\"}],\"rdfs:label\":[\"System Configuration Database Record\"]},{\"@id\":\"d3f:SystemConfigurationInitDatabaseRecord\",\"rdfs:label\":[\"System Configuration Init Database Record\"],\"skos:altLabel\":[\"System Configuration Startup Database Record\"]},{\"@id\":\"d3f:SystemConfigurationInitResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SystemStartupDirectory\"},{\"@id\":\"d3f:SystemConfigurationInitDatabaseRecord\"},{\"@id\":\"d3f:SystemInitScript\"}],\"rdfs:label\":[\"System Configuration Init Resource\"],\"skos:altLabel\":[\"System Init Resource\"]},{\"@id\":\"d3f:SystemDependency\",\"rdfs:label\":[\"System Dependency\"]},{\"@id\":\"d3f:SystemFirewallConfiguration\",\"rdfs:label\":[\"System Firewall Configuration\"]},{\"@id\":\"d3f:SystemFirmware\",\"rdfs:label\":[\"System Firmware\"],\"skos:altLabel\":[\"BIOS Firmware\",\"UEFI Firmware\"]},{\"@id\":\"d3f:SystemInitConfiguration\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SystemStartupDirectory\"},{\"@id\":\"d3f:SystemConfigurationInitDatabaseRecord\"},{\"@id\":\"d3f:SystemInitScript\"}],\"rdfs:label\":[\"System Init Configuration\"],\"skos:altLabel\":[\"Autoruns\"]},{\"@id\":\"d3f:SystemInitProcess\",\"rdfs:label\":[\"System Init Process\"],\"skos:altLabel\":[\"System Initialization Process\",\"System Startup Process\"]},{\"@id\":\"d3f:SystemInitScript\",\"rdfs:label\":[\"System Init Script\"]},{\"@id\":\"d3f:SystemPasswordDatabase\",\"rdfs:label\":[\"System Password Database\"]},{\"@id\":\"d3f:SystemServiceSoftware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:JobSchedulerSoftware\"},{\"@id\":\"d3f:LocalAuthenticationService\"},{\"@id\":\"d3f:LocalAuthorizationService\"}],\"rdfs:label\":[\"System Service Software\"]},{\"@id\":\"d3f:SystemSoftware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Host-basedFirewall\"},{\"@id\":\"d3f:Kernel\"}],\"rdfs:label\":[\"System Software\"]},{\"@id\":\"d3f:SystemStartupDirectory\",\"rdfs:label\":[\"System Startup Directory\"]},{\"@id\":\"d3f:SystemStateImage\",\"rdfs:label\":[\"System State Image\"],\"skos:altLabel\":[\"System Image\"]},{\"@id\":\"d3f:SystemTimeApplication\",\"rdfs:label\":[\"System Time Application\"]},{\"@id\":\"d3f:SystemUtilizationRecord\",\"rdfs:label\":[\"System Utilization Record\"]},{\"@id\":\"d3f:TFTPNetworkTraffic\",\"rdfs:label\":[\"TFTP Network Traffic\"]},{\"@id\":\"d3f:TFTPServer\",\"rdfs:label\":[\"TFTP Server\"]},{\"@id\":\"d3f:TabletComputer\",\"rdfs:label\":[\"Tablet Computer\"],\"skos:altLabel\":[\"Tablet\"]},{\"@id\":\"d3f:TerminateProcess\",\"rdfs:label\":[\"Terminate Process\"]},{\"@id\":\"d3f:TertiaryStorage\",\"rdfs:label\":[\"Tertiary Storage\"]},{\"@id\":\"d3f:TestExecutionTool\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:IntegrationTestExecutionTool\"},{\"@id\":\"d3f:UnitTestExecutionTool\"}],\"rdfs:label\":[\"Test Execution Tool\"],\"skos:altLabel\":[\"Test Execution Engine\",\"Test Executive\",\"Test Manager\"]},{\"@id\":\"d3f:ThinClientComputer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ZeroClientComputer\"}],\"rdfs:label\":[\"Thin Client Computer\"]},{\"@id\":\"d3f:Thread\",\"rdfs:label\":[\"Thread\"]},{\"@id\":\"d3f:ThreadStartFunction\",\"rdfs:label\":[\"Thread Start Function\"]},{\"@id\":\"d3f:TicketGrantingTicket\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:KerberosTicketGrantingTicket\"}],\"rdfs:label\":[\"Ticket Granting Ticket\"],\"skos:altLabel\":[\"Golden Ticket\"]},{\"@id\":\"d3f:TraceProcess\",\"rdfs:label\":[\"Trace Process\"],\"skos:altLabel\":[\"Open Process\"]},{\"@id\":\"d3f:TraceThread\",\"rdfs:label\":[\"Trace Thread\"]},{\"@id\":\"d3f:TransducerSensor\",\"rdfs:label\":[\"Transducer Sensor\"]},{\"@id\":\"d3f:TranslationLookasideBuffer\",\"rdfs:label\":[\"Translation Lookaside Buffer\"]},{\"@id\":\"d3f:TransportLink\",\"rdfs:label\":[\"Transport Link\"]},{\"@id\":\"d3f:TrustStore\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CertificateTrustStore\"}],\"rdfs:label\":[\"Trust Store\"]},{\"@id\":\"d3f:URL\",\"rdfs:label\":[\"URL\"],\"skos:altLabel\":[\"Uniform Resource Locator\"]},{\"@id\":\"d3f:UnitTestExecutionTool\",\"rdfs:label\":[\"Unit Test Execution Tool\"]},{\"@id\":\"d3f:UnixHardLink\",\"rdfs:label\":[\"Unix Hard Link\"]},{\"@id\":\"d3f:UnixLink\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:POSIXSymbolicLink\"},{\"@id\":\"d3f:SlowSymbolicLink\"},{\"@id\":\"d3f:UnixHardLink\"},{\"@id\":\"d3f:FastSymbolicLink\"}],\"rdfs:label\":[\"Unix Link\"]},{\"@id\":\"d3f:UnloadModule\",\"rdfs:label\":[\"Unload Module\"]},{\"@id\":\"d3f:User\",\"rdfs:label\":[\"User\"]},{\"@id\":\"d3f:UserAccount\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:LocalUserAccount\"},{\"@id\":\"d3f:CloudUserAccount\"},{\"@id\":\"d3f:DefaultUserAccount\"},{\"@id\":\"d3f:DomainUserAccount\"},{\"@id\":\"d3f:ServiceAccount\"},{\"@id\":\"d3f:PrivilegedUserAccount\"}],\"rdfs:label\":[\"User Account\"]},{\"@id\":\"d3f:UserAction\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ResourceAccess\"}],\"rdfs:label\":[\"User Action\"]},{\"@id\":\"d3f:UserApplication\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:Browser\"},{\"@id\":\"d3f:BrowserExtension\"},{\"@id\":\"d3f:CollaborativeSoftware\"},{\"@id\":\"d3f:DeveloperApplication\"},{\"@id\":\"d3f:OfficeApplication\"},{\"@id\":\"d3f:ApplicationInstaller\"}],\"rdfs:label\":[\"User Application\"]},{\"@id\":\"d3f:UserBehavior\",\"rdfs:label\":[\"User Behavior\"]},{\"@id\":\"d3f:UserGroup\",\"rdfs:label\":[\"User Group\"]},{\"@id\":\"d3f:UserInitConfigurationFile\",\"rdfs:label\":[\"User Init Configuration File\"],\"skos:altLabel\":[\"User Configuration File\"]},{\"@id\":\"d3f:UserInitScript\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:PowerShellProfileScript\"}],\"rdfs:label\":[\"User Init Script\"]},{\"@id\":\"d3f:UserInputFunction\",\"rdfs:label\":[\"User Input Function\"]},{\"@id\":\"d3f:UserInterface\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:CommandLineInterface\"},{\"@id\":\"d3f:GraphicalUserInterface\"}],\"rdfs:label\":[\"User Interface\"],\"skos:altLabel\":[\"UI\"]},{\"@id\":\"d3f:UserLogonInitResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:UserStartupScriptFile\"},{\"@id\":\"d3f:UserInitConfigurationFile\"},{\"@id\":\"d3f:UserInitScript\"},{\"@id\":\"d3f:UserStartupDirectory\"}],\"rdfs:label\":[\"User Logon Init Resource\"]},{\"@id\":\"d3f:UserProcess\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ApplicationProcess\"}],\"rdfs:label\":[\"User Process\"]},{\"@id\":\"d3f:UserProfile\",\"rdfs:label\":[\"User Profile\"]},{\"@id\":\"d3f:UserStartupDirectory\",\"rdfs:label\":[\"User Startup Directory\"]},{\"@id\":\"d3f:UserStartupScriptFile\",\"rdfs:label\":[\"User Startup Script File\"]},{\"@id\":\"d3f:UserToUserMessage\",\"rdfs:label\":[\"User to User Message\"],\"skos:altLabel\":[\"Personal Message\",\"Private Message\"]},{\"@id\":\"d3f:UtilitySoftware\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:SystemTimeApplication\"}],\"rdfs:label\":[\"Utility Software\"],\"skos:altLabel\":[\"Utility Application\"]},{\"@id\":\"d3f:VMImage\",\"rdfs:label\":[\"Virtual Machine Image\"],\"skos:altLabel\":[\"VM Image\"]},{\"@id\":\"d3f:VPNServer\",\"rdfs:label\":[\"VPN Server\"]},{\"@id\":\"d3f:VersionControlTool\",\"rdfs:label\":[\"Version Control Tool\"],\"skos:altLabel\":[\"Revision Control\",\"Source Control\"]},{\"@id\":\"d3f:VideoInputDevice\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ImageScannerInputDevice\"}],\"rdfs:label\":[\"Video Input Device\"]},{\"@id\":\"d3f:VirtualAddress\",\"rdfs:label\":[\"Virtual Address\"]},{\"@id\":\"d3f:VirtualMemorySpace\",\"rdfs:label\":[\"Virtual Memory Space\"]},{\"@id\":\"d3f:VirtualizationSoftware\",\"rdfs:label\":[\"Virtualization Software\"]},{\"@id\":\"d3f:Volume\",\"rdfs:label\":[\"Volume\"],\"skos:altLabel\":[\"Drive Volume\",\"Logical Drive\"]},{\"@id\":\"d3f:VolumeBootRecord\",\"rdfs:label\":[\"Volume Boot Record\"]},{\"@id\":\"d3f:VolumeSnapshot\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:DifferentialVolumeSnapshot\"},{\"@id\":\"d3f:FullVolumeSnapshot\"}],\"rdfs:label\":[\"Volume Snapshot\"]},{\"@id\":\"d3f:WebAPIResource\",\"rdfs:label\":[\"Web API Resource\"]},{\"@id\":\"d3f:WebAccessToken\",\"rdfs:label\":[\"Web Access Token\"]},{\"@id\":\"d3f:WebApplicationFirewall\",\"rdfs:label\":[\"Web Application Firewall\"],\"skos:altLabel\":[\"WAF\"]},{\"@id\":\"d3f:WebApplicationServer\",\"rdfs:label\":[\"Web Application Server\"]},{\"@id\":\"d3f:WebFileResource\",\"rdfs:label\":[\"Web File Resource\"]},{\"@id\":\"d3f:WebIdentityToken\",\"rdfs:label\":[\"Web Identity Token\"]},{\"@id\":\"d3f:WebNetworkTraffic\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:OutboundInternetWebTraffic\"},{\"@id\":\"d3f:IntranetWebNetworkTraffic\"}],\"rdfs:label\":[\"Web Network Traffic\"]},{\"@id\":\"d3f:WebResource\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WebFileResource\"},{\"@id\":\"d3f:WebAPIResource\"}],\"rdfs:label\":[\"Web Resource\"]},{\"@id\":\"d3f:WebResourceAccess\",\"rdfs:label\":[\"Web Resource Access\"]},{\"@id\":\"d3f:WebScriptFile\",\"rdfs:label\":[\"Web Script File\"],\"skos:altLabel\":[\"Web Script\"]},{\"@id\":\"d3f:WebServer\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:ArtifactServer\"},{\"@id\":\"d3f:WebApplicationServer\"}],\"rdfs:label\":[\"Web Server\"]},{\"@id\":\"d3f:WebServerApplication\",\"rdfs:label\":[\"Web Server Application\"],\"skos:altLabel\":[\"Web App\",\"Web Application\"]},{\"@id\":\"d3f:WideAreaNetwork\",\"rdfs:label\":[\"Wide Area Network\"],\"skos:altLabel\":[\"WAN\"]},{\"@id\":\"d3f:WindowOpenFile\",\"rdfs:label\":[\"Windows OpenFile\"]},{\"@id\":\"d3f:WindowsCreateFileA\",\"rdfs:label\":[\"Windows CreateFileA\"]},{\"@id\":\"d3f:WindowsCreateProcessA\",\"rdfs:label\":[\"Windows CreateProcessA\"]},{\"@id\":\"d3f:WindowsCreateRemoteThread\",\"rdfs:label\":[\"Windows CreateRemoteThread\"]},{\"@id\":\"d3f:WindowsCreateThread\",\"rdfs:label\":[\"Windows CreateThread\"]},{\"@id\":\"d3f:WindowsDeleteFile\",\"rdfs:label\":[\"Windows DeleteFile\"]},{\"@id\":\"d3f:WindowsDuplicateToken\",\"rdfs:label\":[\"Windows DuplicateToken\"]},{\"@id\":\"d3f:WindowsGetThreadContext\",\"rdfs:label\":[\"Windows GetThreadContext\"]},{\"@id\":\"d3f:WindowsNTGetThreadContext\",\"rdfs:label\":[\"Windows NtGetThreadContext\"]},{\"@id\":\"d3f:WindowsNtAllocateVirtualMemory\",\"rdfs:label\":[\"Windows NtAllocateVirtualMemory\"]},{\"@id\":\"d3f:WindowsNtAllocateVirtualMemoryEx\",\"rdfs:label\":[\"Windows NtAllocateVirtualMemoryEx\"]},{\"@id\":\"d3f:WindowsNtCreateFile\",\"rdfs:label\":[\"Windows NtCreateFile\"]},{\"@id\":\"d3f:WindowsNtCreateMailslotFile\",\"rdfs:label\":[\"Windows NtCreateMailslotFile\"]},{\"@id\":\"d3f:WindowsNtCreateNamedPipeFile\",\"rdfs:label\":[\"Windows NtCreateNamedPipeFile\"]},{\"@id\":\"d3f:WindowsNtCreatePagingFile\",\"rdfs:label\":[\"Windows NtCreatePagingFile\"]},{\"@id\":\"d3f:WindowsNtCreateProcess\",\"rdfs:label\":[\"Windows NtCreateProcess\"]},{\"@id\":\"d3f:WindowsNtCreateProcessEx\",\"rdfs:label\":[\"Windows NtCreateProcessEx\"]},{\"@id\":\"d3f:WindowsNtCreateThread\",\"rdfs:label\":[\"Windows NtCreateThread\"]},{\"@id\":\"d3f:WindowsNtCreateThreadEx\",\"rdfs:label\":[\"Windows NtCreateThreadEx\"]},{\"@id\":\"d3f:WindowsNtDeleteFile\",\"rdfs:label\":[\"Windows NtDeleteFile\"]},{\"@id\":\"d3f:WindowsNtDuplicateToken\",\"rdfs:label\":[\"Windows NtDuplicateToken\"]},{\"@id\":\"d3f:WindowsNtFlushInstructionCache\",\"rdfs:label\":[\"Windows NtFlushInstructionCache\"]},{\"@id\":\"d3f:WindowsNtFreeVirtualMemory\",\"rdfs:label\":[\"Windows NtFreeVirtualMemory\"]},{\"@id\":\"d3f:WindowsNtOpenFile\",\"rdfs:label\":[\"Windows NtOpenFile\"]},{\"@id\":\"d3f:WindowsNtOpenProcess\",\"rdfs:label\":[\"Windows NtOpenProcess\"]},{\"@id\":\"d3f:WindowsNtOpenThread\",\"rdfs:label\":[\"Windows NtOpenThread\"]},{\"@id\":\"d3f:WindowsNtProtectVirtualMemory\",\"rdfs:label\":[\"Windows NtProtectVirtualMemory\"]},{\"@id\":\"d3f:WindowsNtQuerySystemTime\",\"rdfs:label\":[\"Windows NtQuerySystemTime\"]},{\"@id\":\"d3f:WindowsNtReadFile\",\"rdfs:label\":[\"Windows NtReadFile\"]},{\"@id\":\"d3f:WindowsNtReadFileScatter\",\"rdfs:label\":[\"Windows NtReadFileScatter\"]},{\"@id\":\"d3f:WindowsNtResumeThread\",\"rdfs:label\":[\"Windows NtResumeThread\"]},{\"@id\":\"d3f:WindowsNtSetInformationFileArgumentFileDispositionInformation\",\"rdfs:label\":[\"Windows NtSetInformationFile Argument FileDispositionInformation\"]},{\"@id\":\"d3f:WindowsNtSetThreadContext\",\"rdfs:label\":[\"Windows NtSetThreadContext\"]},{\"@id\":\"d3f:WindowsNtSuspendProcess\",\"rdfs:label\":[\"Windows NtSuspendProcess\"]},{\"@id\":\"d3f:WindowsNtSuspendThread\",\"rdfs:label\":[\"Windows NtSuspendThread\"]},{\"@id\":\"d3f:WindowsNtTerminateProcess\",\"rdfs:label\":[\"Windows NtTerminateProcess\"]},{\"@id\":\"d3f:WindowsNtWriteFile\",\"rdfs:label\":[\"Windows NtWriteFile\"]},{\"@id\":\"d3f:WindowsNtWriteFileGather\",\"rdfs:label\":[\"Windows NtWriteFileGather\"]},{\"@id\":\"d3f:WindowsNtWriteVirtualMemory\",\"rdfs:label\":[\"Windows NtWriteVirtualMemory\"]},{\"@id\":\"d3f:WindowsOpenProcess\",\"rdfs:label\":[\"Windows OpenProcess\"]},{\"@id\":\"d3f:WindowsOpenThread\",\"rdfs:label\":[\"Windows OpenThread\"]},{\"@id\":\"d3f:WindowsQueryPerformanceCounter\",\"rdfs:label\":[\"Windows QueryPerformanceCounter\"]},{\"@id\":\"d3f:WindowsReadFile\",\"rdfs:label\":[\"Windows ReadFile\"]},{\"@id\":\"d3f:WindowsRegistry\",\"rdfs:label\":[\"Windows Registry\"]},{\"@id\":\"d3f:WindowsRegistryKey\",\"rdfs:label\":[\"Windows Registry Key\"]},{\"@id\":\"d3f:WindowsRegistryValue\",\"rdfs:label\":[\"Windows Registry Value\"]},{\"@id\":\"d3f:WindowsResumeThread\",\"rdfs:label\":[\"Windows ResumeThread\"]},{\"@id\":\"d3f:WindowsSetThreadContext\",\"rdfs:label\":[\"Windows SetThreadContext\"]},{\"@id\":\"d3f:WindowsShortcutFile\",\"rdfs:label\":[\"Windows Shortcut File\"],\"skos:altLabel\":[\"Shell Link\"]},{\"@id\":\"d3f:WindowsSuspendThread\",\"rdfs:label\":[\"Windows SuspendThread\"]},{\"@id\":\"d3f:WindowsTerminateProcess\",\"rdfs:label\":[\"Windows TerminateProcess\"]},{\"@id\":\"d3f:WindowsVirtualAllocEx\",\"rdfs:label\":[\"Windows VirtualAllocEx\"]},{\"@id\":\"d3f:WindowsVirtualFree\",\"rdfs:label\":[\"Windows VirtualFree\"]},{\"@id\":\"d3f:WindowsVirtualProtectEx\",\"rdfs:label\":[\"Windows VirtualProtectEx\"]},{\"@id\":\"d3f:WindowsWriteFile\",\"rdfs:label\":[\"Windows WriteFile\"]},{\"@id\":\"d3f:WindowsWriteProcessMemory\",\"rdfs:label\":[\"Windows WriteProcessMemory\"]},{\"@id\":\"d3f:WirelessAccessPoint\",\"rdfs:hasSubClass\":[{\"@id\":\"d3f:WirelessRouter\"}],\"rdfs:label\":[\"Wireless Access Point\"],\"skos:altLabel\":[\"WAP\"]},{\"@id\":\"d3f:WirelessRouter\",\"rdfs:label\":[\"Wireless Router\"]},{\"@id\":\"d3f:WriteFile\",\"rdfs:label\":[\"Write File\"]},{\"@id\":\"d3f:WriteMemory\",\"rdfs:label\":[\"Write Memory\"]},{\"@id\":\"d3f:ZeroClientComputer\",\"rdfs:label\":[\"Zero Client Computer\"]}]}"}</script>
<script type="application/json" data-sveltekit-fetched data-url="/api/version.json">{"status":200,"statusText":"","headers":{},"body":"{\n \"version\": \"1.0.0\",\n \"release_date\": \"2024-12-20T00:42:42.042Z\",\n \"ontology_hash_sha256\": \"83d0f12f0ab6df441aa7ece4c917e3349586b8a627090f98ddc937a9766dd509\",\n \"ui_commit\": \"07e07a6\",\n \"ui_build_date\": \"2024-12-20T19:18:38.151Z\"\n}"}</script>
<script>
{
__sveltekit_1j1mce3 = {
base: new URL(".", location).pathname.slice(0, -1)
};
const element = document.currentScript.parentElement;
const data = [null,null,null];
Promise.all([
import("./_app/immutable/entry/start.BqLk7f5U.js"),
import("./_app/immutable/entry/app.B0Oi9ysV.js")
]).then(([kit, app]) => {
kit.start(app, element, {
node_ids: [0, 2, 16],
data,
form: null,
error: null
});
});
if ('serviceWorker' in navigator) {
addEventListener('load', function () {
navigator.serviceWorker.register('./service-worker.js');
});
}
}
</script>
</div>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script id="atarget" async>
</script>
<script>
if (window.location.hostname != "localhost" &&
window.location.hostname != "127.0.0.1") {
// target = document.getElementById("atarget");
// target.onload = function(){};
// target.src="https://www.googletagmanager.com/gtag/js?id=UA-200005342-1"
// window.dataLayer = window.dataLayer || [];
// function gtag() {
// dataLayer.push(arguments);
// }
// gtag("js", new Date());
// gtag("config", "UA-200005342-1");
let gaID = "UA-200005342-1";
window.dataLayer = window.dataLayer || []
function gtag() { dataLayer.push(arguments) }
gtag('js', new Date())
gtag('config', gaID)
const script = document.createElement('script')
script.src = `https://www.googletagmanager.com/gtag/js?id=${gaID}`
document.body.appendChild(script)
} else {
console.info("Analytics disabled in development mode")
}
</script>
</body>
</html>