The new v11.2 release of MITRE ATT&CK; contains a beta version of Sub-Techniques for Mobile. The current, stable Mobile content can be accessed via the v10 release URL.

TECHNIQUES

Active Scanning

Scanning IP Blocks

Vulnerability Scanning

Wordlist Scanning

Gather Victim Host Information

Client Configurations

Gather Victim Identity Information

Email Addresses

Gather Victim Network Information

Domain Properties

Network Trust Dependencies

Network Topology

Network Security Appliances

Gather Victim Org Information

Determine Physical Locations

Business Relationships

Identify Business Tempo

Phishing for Information

Spearphishing Service

Spearphishing Attachment

Spearphishing Link

Search Closed Sources

Threat Intel Vendors

Purchase Technical Data

Search Open Technical Databases

DNS/Passive DNS

Digital Certificates

Search Open Websites/Domains

Search Victim-Owned Websites

Resource Development

Acquire Infrastructure

Virtual Private Server

Compromise Accounts

Social Media Accounts

Compromise Infrastructure

Virtual Private Server

Develop Capabilities

Code Signing Certificates

Digital Certificates

Establish Accounts

Social Media Accounts

Obtain Capabilities

Code Signing Certificates

Digital Certificates

Vulnerabilities

Stage Capabilities

Install Digital Certificate

Drive-by Target

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

Default Accounts

Domain Accounts

Command and Scripting Interpreter

Windows Command Shell

Network Device CLI

Container Administration Command

Deploy Container

Exploitation for Client Execution

Inter-Process Communication

Component Object Model

Dynamic Data Exchange

Scheduled Task/Job

Container Orchestration Job

Software Deployment Tools

System Services

Service Execution

Malicious Image

Windows Management Instrumentation

Account Manipulation

Additional Cloud Credentials

Additional Email Delegate Permissions

Additional Cloud Roles

SSH Authorized Keys

Device Registration

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Print Processors

XDG Autostart Entries

Boot or Logon Initialization Scripts

Logon Script (Windows)

Network Logon Script

Browser Extensions

Compromise Client Software Binary

Create or Modify System Process

Systemd Service

Windows Service

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

Unix Shell Configuration Modification

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

External Remote Services

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

KernelCallbackTable

Implant Internal Image

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Reversible Encryption

Office Application Startup

Office Template Macros

Outlook Home Page

System Firmware

Component Firmware

Scheduled Task/Job

Container Orchestration Job

Server Software Component

SQL Stored Procedures

Transport Agent

Terminal Services DLL

Traffic Signaling

Default Accounts

Domain Accounts

Privilege Escalation

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Print Processors

XDG Autostart Entries

Boot or Logon Initialization Scripts

Logon Script (Windows)

Network Logon Script

Create or Modify System Process

Systemd Service

Windows Service

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

Unix Shell Configuration Modification

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

Exploitation for Privilege Escalation

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

KernelCallbackTable

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Hollowing

Process Doppelgänging

Scheduled Task/Job

Container Orchestration Job

Default Accounts

Domain Accounts

Defense Evasion

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Build Image on Host

Debugger Evasion

Deobfuscate/Decode Files or Information

Deploy Container

Direct Volume Access

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Execution Guardrails

Environmental Keying

Exploitation for Defense Evasion

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Hidden Files and Directories

NTFS File Attributes

Hidden File System

Run Virtual Instance

Email Hiding Rules

Resource Forking

Process Argument Spoofing

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

KernelCallbackTable

Impair Defenses

Disable or Modify Tools

Disable Windows Event Logging

Impair Command History Logging

Disable or Modify System Firewall

Indicator Blocking

Disable or Modify Cloud Firewall

Disable Cloud Logs

Downgrade Attack

Indicator Removal on Host

Clear Windows Event Logs

Clear Linux or Mac System Logs

Clear Command History

Network Share Connection Removal

Indirect Command Execution

Invalid Code Signature

Right-to-Left Override

Rename System Utilities

Masquerade Task or Service

Match Legitimate Name or Location

Space after Filename

Double File Extension

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Reversible Encryption

Modify Cloud Compute Infrastructure

Create Snapshot

Create Cloud Instance

Delete Cloud Instance

Revert Cloud Instance

Modify Registry

Modify System Image

Patch System Image

Downgrade System Image

Network Boundary Bridging

Network Address Translation Traversal

Obfuscated Files or Information

Software Packing

Compile After Delivery

Indicator Removal from Tools

Plist File Modification

System Firmware

Component Firmware

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Hollowing

Process Doppelgänging

Reflective Code Loading

Rogue Domain Controller

Subvert Trust Controls

Gatekeeper Bypass

SIP and Trust Provider Hijacking

Install Root Certificate

Mark-of-the-Web Bypass

Code Signing Policy Modification

System Binary Proxy Execution

Compiled HTML File

System Script Proxy Execution

Template Injection

Traffic Signaling

Trusted Developer Utilities Proxy Execution

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Application Access Token

Pass the Ticket

Web Session Cookie

Default Accounts

Domain Accounts

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Weaken Encryption

Reduce Key Space

Disable Crypto Hardware

XSL Script Processing

Credential Access

Adversary-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Password Guessing

Password Cracking

Password Spraying

Credential Stuffing

Credentials from Password Stores

Securityd Memory

Credentials from Web Browsers

Windows Credential Manager

Password Managers

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials

GUI Input Capture

Web Portal Capture

Credential API Hooking

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Reversible Encryption

Multi-Factor Authentication Interception

Multi-Factor Authentication Request Generation

Network Sniffing

OS Credential Dumping

Security Account Manager

Cached Domain Credentials

Proc Filesystem

/etc/passwd and /etc/shadow

Steal Application Access Token

Steal or Forge Kerberos Tickets

AS-REP Roasting

Steal Web Session Cookie

Unsecured Credentials

Credentials In Files

Credentials in Registry

Cloud Instance Metadata API

Group Policy Preferences

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Cloud Storage Object Discovery

Container and Resource Discovery

Debugger Evasion

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Discovery

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Lateral Movement

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Distributed Component Object Model

Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

Application Access Token

Pass the Ticket

Web Session Cookie

Adversary-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Archive Collected Data

Archive via Utility

Archive via Library

Archive via Custom Method

Automated Collection

Browser Session Hijacking

Data from Cloud Storage Object

Data from Configuration Repository

SNMP (MIB Dump)

Network Device Configuration Dump

Data from Information Repositories

Code Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Local Data Staging

Remote Data Staging

Email Collection

Local Email Collection

Remote Email Collection

Email Forwarding Rule

GUI Input Capture

Web Portal Capture

Credential API Hooking

Command and Control

Application Layer Protocol

File Transfer Protocols

Communication Through Removable Media

Standard Encoding

Non-Standard Encoding

Data Obfuscation

Protocol Impersonation

Dynamic Resolution

Domain Generation Algorithms

DNS Calculation

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Multi-hop Proxy

Domain Fronting

Remote Access Software

Traffic Signaling

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Automated Exfiltration

Traffic Duplication

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Web Service

Exfiltration to Code Repository

Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Internal Defacement

External Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Application Exhaustion Flood

Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Direct Network Flood

Reflection Amplification

Resource Hijacking

System Shutdown/Reboot

Drive-By Compromise

Lockscreen Bypass

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Hardware Supply Chain

Compromise Software Supply Chain

Command and Scripting Interpreter

Scheduled Task/Job

Boot or Logon Initialization Scripts

Compromise Application Executable

Compromise Client Software Binary

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Hijack Execution Flow

System Runtime API Hijacking

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Device Administrator Permissions

Exploitation for Privilege Escalation

Process Injection

Ptrace System Calls

Defense Evasion

Download New Code at Runtime

Execution Guardrails

Foreground Persistence

Suppress Application Icon

Impair Defenses

Prevent Application Removal

Disable or Modify Tools

Indicator Removal on Host

Uninstall Malicious Application

Disguise Root/Jailbreak Indicators

Input Injection

Obfuscated Files or Information

Software Packing

Process Injection

Ptrace System Calls

Proxy Through Victim

Subvert Trust Controls

Code Signing Policy Modification

Virtualization/Sandbox Evasion

Credential Access

Access Notifications

Credentials from Password Store

GUI Input Capture

Steal Application Access Token

File and Directory Discovery

Location Tracking

Remote Device Management Services

Impersonate SS7 Nodes

Network Service Scanning

Process Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Exploitation of Remote Services

Replication Through Removable Media

Access Notifications

Adversary-in-the-Middle

Archive Collected Data

Data from Local System

GUI Input Capture

Location Tracking

Remote Device Management Services

Impersonate SS7 Nodes

Protected User Data

Calendar Entries

Stored Application Data

Command and Control

Application Layer Protocol

Dynamic Resolution

Domain Generation Algorithms

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Ingress Tool Transfer

Non-Standard Port

Out of Band Data

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Exfiltration Over Alternative Protocol

Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Account Access Removal

Data Encrypted for Impact

Data Manipulation

Transmitted Data Manipulation

Endpoint Denial of Service

Generate Traffic from Victim

Input Injection

Network Denial of Service

Drive-by Compromise

Exploit Public-Facing Application

Exploitation of Remote Services

External Remote Services

Internet Accessible Device

Remote Services

Replication Through Removable Media

Spearphishing Attachment

Supply Chain Compromise

Transient Cyber Asset

Wireless Compromise

Change Operating Mode

Command-Line Interface

Execution through API

Graphical User Interface

Modify Controller Tasking

Module Firmware

Project File Infection

System Firmware

Privilege Escalation

Exploitation for Privilege Escalation

Change Operating Mode

Exploitation for Evasion

Indicator Removal on Host

Spoof Reporting Message

Network Connection Enumeration

Network Sniffing

Remote System Discovery

Remote System Information Discovery

Wireless Sniffing

Lateral Movement

Default Credentials

Exploitation of Remote Services

Lateral Tool Transfer

Program Download

Remote Services

Automated Collection

Data from Information Repositories

Detect Operating Mode

Man in the Middle

Monitor Process State

Point & Tag Identification

Wireless Sniffing

Command and Control

Commonly Used Port

Connection Proxy

Standard Application Layer Protocol

Inhibit Response Function

Activate Firmware Update Mode

Alarm Suppression

Block Command Message

Block Reporting Message

Block Serial COM

Data Destruction

Denial of Service

Device Restart/Shutdown

Manipulate I/O Image

Modify Alarm Settings

System Firmware

Impair Process Control

Brute Force I/O

Modify Parameter

Module Firmware

Spoof Reporting Message

Unauthorized Command Message

Damage to Property

Denial of Control

Loss of Availability

Loss of Control

Loss of Productivity and Revenue

Loss of Protection

Manipulation of Control

Manipulation of View

Theft of Operational Information

Dynamic Resolution: Domain Generation Algorithms

Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.^[1]

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.

ID: T1637.001

Sub-technique of: T1637

Tactic Type: Post-Adversary Device Access

ⓘ

Tactic: Command and Control

ⓘ

Platforms: Android, iOS

Version: 1.0

Created: 05 April 2022

Last Modified: 05 April 2022

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0485	Mandrake	Mandrake has used domain generation algorithms.^[2]
S0411	Rotexy	Rotexy procedurally generates subdomains for command and control communication.^[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.^[3] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names

References

Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.